[tor-bugs] #16300 [Tor Browser]: Make sure the BroadcastChannel API adheres to our URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 22 13:46:55 UTC 2015
#16300: Make sure the BroadcastChannel API adheres to our URL bar domain isolation
-------------------------+-------------------------------------------------
Reporter: gk | Owner: mcs
Type: task | Status: needs_review
Priority: major | Milestone:
Component: Tor | Version:
Browser | Keywords: ff38-esr, tbb-linkability, tbb-5
Resolution: | .0a-highrisk, TorBrowserTeam201506R,
Actual Points: | GeorgKoppen201506R
Points: | Parent ID:
-------------------------+-------------------------------------------------
Comment (by mcs):
Replying to [comment:6 gk]:
> The patch looks good to me. Do you have a test up somewhere which would
let me play with that API in an ESR 38 based Tor Browser? (+ plus having a
unit test for this API modification would be helpful as well, I guess).
Thanks for your review so far. We will work on creating some mochitest
tests.
You can experiment with the manual tests we have been using by loading
these two pages:
https://people.torproject.org/~brade/tests/bug-16300-container.html
https://pearlcrescent.com/tor/bug-16300/bug-16300-container.html
Each one loads an iframe with
src=https://pearlcrescent.com/tor/bug-16300/bug-16300.html which contains
some fairly self explanatory buttons (and of course you can look at the JS
code to see what it does).
Because our patch only checks privacy.thirdparty.isolate at the time a
broadcast channel is created, you will need to reload our test pages after
changing that pref.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16300#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list