[tor-bugs] #16874 [Tor Browser]: https://sports.yahoo.com/dailyfantasy is broken with Tor Browser 5.0 on Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 17 06:05:13 UTC 2015


#16874: https://sports.yahoo.com/dailyfantasy is broken with Tor Browser 5.0 on
Windows
-------------------------+-------------------------------------------------
     Reporter:  gk       |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  tbb-usability-website,
   Resolution:           |  tbb-5.0-regression, TorBrowserTeam201509
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:15 mikeperry]:
 > I'm unfamiliar with the new Services.scriptloader.loadSubScript API, but
 looking it up, it seems common for people to use
 https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.Sandbox with
 it still, to cause the script to evaluate with content privileges..
 >
 > Are you sure that what you did with XPCNativeWrapper.unwrap() instead is
 safe there?

 I don't why I had XPCNativeWrapper.unwrap() there -- I've removed it.

 > There's two main sources of risk when doing stuff like this:
 >  1. Adding Intl.js from chrome could cause the Intl.js expandos to
 actually have chrome privileges inside the content window. This seems
 unlikely, but again I'm not sure.
 >  2. The polyfill itself may be running with chrome privs when installing
 itself, which means that if it touches an unwrapped window property, it
 may be induced to execute content code (in the form of a getter/setter,
 perhaps) that way, in a privileged setting.

 The documentation at https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Reference/Interface/mozIJSSubScriptLoader#loadSubScript%28%29
 claims that "The loaded script is executed with the principal associated
 with the target object." So that's at least promising.

 First I confirmed that the principal for the contentWindow object is non-
 chrome:
 {{{
 >
 Components.utils.getObjectPrincipal(gBrowser.selectedBrowser.contentWindow)
 XPCWrappedNative_NoHelper { URI: XPCWrappedNative_NoHelper, origin:
 "https://arthuredelstein.github.io", jarPrefix: "", baseDomain:
 "arthuredelstein.github.io", appStatus: 0, appId: 0, isInBrowserElement:
 false, unknownAppId: false, isNullPrincipal: false }
 }}}
 Then for a more direct test, I added the line
 {{{
 console.log("Components.interfaces:", Components.interfaces);
 }}}
 to the top of Intl.js. In that case, every loaded page logs an error:
 {{{
 ReferenceError: Components is not defined
 }}}

 I didn't immediately think of any further tests that might approach the
 question in another way.

 > For some reason, I can't seem to find any documentation on either of
 these risks. Perhaps that's because this new API is magically safe no
 matter how you use it? Maybe this is a question for #security on
 irc.mozilla.org, and/or some testing?

 You're right that we should be very careful about this. I've posted a
 question there. In the meantime, here's the new version without
 XPCNativeWrapper.unwrap:

 https://github.com/arthuredelstein/torbutton/commit/16874+2

 I suppose one alternative would be to insert a `<SCRIPT
 src="resource://...">` element to the content page's DOM once it has
 started loading.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16874#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list