[tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 30 18:00:30 UTC 2015
#13670: ensure OCSP & favicons respect URL bar domain isolation
---------------------------------+---------------------------------------
Reporter: arthuredelstein | Owner: arthuredelstein
Type: defect | Status: needs_revision
Priority: major | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-linkability, ff38-esr
Actual Points: | Parent ID:
Points: |
---------------------------------+---------------------------------------
Comment (by arthuredelstein):
Replying to [comment:28 mikeperry]:
> The favicon portion of this patch checks and sets an nsINode attribute
that specifies the first party. I believe this can be abused by content to
set its own attributes to circumvent our domain isolation.
I'm posting a new version of 13670 (part I, favicons) here, that avoids
this problem by checking that the nsINode is in chrome:
https://github.com/arthuredelstein/tor-
browser/commit/29d9ee9013a67f82e132539744e518d1daafebfb
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list