[tor-bugs] #16300 [Tor Browser]: Make sure the BroadcastChannel API adheres to our URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 25 01:57:31 UTC 2015
#16300: Make sure the BroadcastChannel API adheres to our URL bar domain isolation
-------------------------+-------------------------------------------------
Reporter: gk | Owner: mcs
Type: task | Status: needs_revision
Priority: major | Milestone:
Component: Tor | Version:
Browser | Keywords: ff38-esr, tbb-linkability, tbb-5
Resolution: | .0a-highrisk, TorBrowserTeam201506R,
Actual Points: | GeorgKoppen201506R
Points: | Parent ID:
-------------------------+-------------------------------------------------
Changes (by mikeperry):
* status: needs_review => needs_revision
Comment:
It seems like GetFirstPartyHost() can fail to get an isolation host in
InitializeRunnable::MainThreadRun() in
dom/broadcastchannel/BroadcastChannel.cpp if there is no document yet in
the Worker. Doesn't this mean that workers who can trigger this case can
still broadcast to eachother even if they are launched from different
isolation domains, because their empty isolation host strings will match?
I'm not completely clear on what is the best way to handle this case.
Perhaps broadcast messages should fail if isolation is enabled and the
isolation host is either empty (and also if prefixed with "--
NoFirstPartyHost-", for when the getFirstPartyHostForIsolation API itself
fails)?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16300#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list