[tor-bugs] #15502 [Tor Browser]: Blob URIs considered harmful

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Mar 29 19:38:30 UTC 2015


#15502: Blob URIs considered harmful
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-linkability, tbb-newnym,
  Browser                |  TorBrowserTeam201503, tbb-4.5-alpha
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------
Changes (by gk):

 * cc: gk (added)


Comment:

 Replying to [ticket:15502 mikeperry]:
 > Here's an example blob URI creation script that gives you a blob uri
 that you can throw in the URL bar. It will then execute scripts (pop up an
 alert) even if you have instructed NoScript to disable scripts globally:
 > https://people.torproject.org/~mikeperry/transient/tests/blob-uri-
 creation.html

 Interesting, but setting the security slider to "high" does not let the
 blob: URI execute it seems. Nevertheless, this is pretty scary. I think
 the safest for 4.5 is to just disable the support for that scheme. We
 could then think about handling all the related issues properly.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15502#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list