[tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 12 15:39:26 UTC 2015
#13670: ensure OCSP & favicons respect URL bar domain isolation
-------------------------+-------------------------------------------------
Reporter: | Owner: arthuredelstein
arthuredelstein | Status: needs_revision
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-linkability, ff38-esr,
Browser | TorBrowserTeam201505R, MikePerry201505R
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Kathy and I did our best to review these patches. We are not 100% sure,
but it seems like the change Mike made to use a hostname for isolationKey
will break the code inside nsHTTPDownloadEvent::Run() that passes that
string to NS_NewURI(). It would be good to add a check for failure there
in any case.
With respect to memory ownership and lifetime issues, it is difficult to
be certain but Kathy and I think the code is OK. From an auditability
point of view, using string classes would make things easier.
A few more comments:
- The GUID for nsISocketTransport.idl should be updated.
- The second parameter to ReportFailedToProcess() is always an empty
string. Why add the parameter?
- Inside TransportSecurityInfo, the getter that has this signature is not
called:
`nsresult GetIsolationKey(char **aIsolationKey);`
Can we remove it? Also, it might be good to follow the example of
GetHostNameRaw() and rename the other GetIsolationKey() method to
GetIsolationKeyRaw().
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:38>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list