[tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 28 22:04:07 UTC 2016


#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
 Reporter:  holizz                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  Very High                            |         Status:
Component:  Applications/Tor Browser             |  needs_review
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-      |        Version:
  regression, tbb-testcase, tbb-firefox-patch,   |     Resolution:
  TorBrowserTeam201607R                          |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by mikeperry):

 * cc: boklm (added)


Comment:

 Couple points:

 1. I think it *might* have been better to use http-on-modify-request here
 rather than both the content policy and the response listener, but you
 might also not have as much information there about the source content
 url. Maybe this doesn't matter so much, since what we really want is a
 direct Firefox patch. The extra observers will have a perf cost, though.
 2. Given that we want to replace this by a direct patch, we should turn
 arthur's https://arthuredelstein.github.io/tordemos/resource-locale.html
 into a Tor Browser test of some kind to verify that future versions behave
 the same way. Boklm, can you handle that? Also, please add a test for
 https://trac.torproject.org/projects/tor/ticket/8725#comment:38 about the
 nested schemes. We should test that too.

 Otherwise, I think this is OK, and I agree it is an improvement. For now,
 I will merge this into the torbutton master branch for TBB 6.5-alpha,
 since it may shake a few more issues loose.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list