[tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

Sat Jun 11 04:35:29 UTC 2016

#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
 Reporter:  holizz                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  Very High                            |         Status:
Component:  Applications/Tor Browser             |  needs_review
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-      |        Version:
  regression, tbb-testcase, tbb-firefox-patch,   |     Resolution:
  TorBrowserTeam201606R                          |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by yawning):

 Replying to [comment:29 cypherpunks]:
 > My original idea is that only privileged `chrome://` or `about:` pages
 can initiate a redirect to the blocked resources. If there is no such
 redirecting URIs accessible from content, there should be no leaks.

 After looking at the documentation and the relevant specs, I'm 99.9% sure
 you're correct.

 `XMLHttpRequest()` will fail the same-origin check, since the request is
 not coming from internal to the Firefox code (requests dispatched from
 inside Firefox can bypass the check completely, but poorly written addons
 are not our problem).

 `Fetch()` refuses to have anything to do with redirects to non-HTTP(s)
 scheme URLs. (See: 5.4 HTTP-redirect fetch).

 > However, testing is needed anyway.

 Yeah.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online