[tor-bugs] #16998 [Applications/Tor Browser]: Make sure <link rel="preconnect"> adheres to URL bar domain isolation

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 20 06:38:55 UTC 2016 

#16998: Make sure <link rel="preconnect"> adheres to URL bar domain isolation
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
     Type:  task                                 |  arthuredelstein
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_review
 Severity:  Normal                               |      Milestone:
 Keywords:  ff45-esr, tbb-linkability,           |        Version:
  tbb-6.0a5, TorBrowserTeam201606R               |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:11 mcs]:
 > Kathy and I reviewed this and ran the tests (as well as a manual test so
 we could look at the domain isolation logging). Everything seems to be
 working correctly. Nice work!

 Thank you for the review!

 > It might be helpful to add some comments where you pass an empty string
 for the isolation key, e.g., in netwerk/base/Predictor.cpp, inside
 IOServiceProxyCallback::OnProxyAvailable(), and in
 netwerk/ipc/NeckoParent.cpp. I know Predictor.cpp is OK because that code
 is pref'd off. Kathy and I are less confident about NeckoParent.cpp
 because we are not as familiar with the IPC code and all the ways it may
 be used.

 Good point. I decided to add isolationKeys to the IPC code just to be
 sure.

 > Also, the UUID inside netwerk/base/nsISpeculativeConnect.idl should be
 changed. Kathy and I are also worried that changing signatures of existing
 IDL'd methods may break add-ons. Should we add new methods instead?

 I've added new methods as you suggest. This means that the Predictor code
 is left to use the old methods, but, as you point out, we have the
 predictor preffed off.

 Here's the new version:

 https://github.com/arthuredelstein/tor-browser/16998+10

 Same patches as before:
 * b44b2b25bab1ebde9351c842f0ca66d2fdc87579 reverts the temporary patch
 posted in comment:4
 * be96c4f788ab616d94457bcc4dd1d098b156d62c isolates link rel=preconnect to
 first party and generally isolates speculative connects
 * 8cfeded9b52a1bbc93622c6dbe6ca59f987b43c0 is a fixup for our first-party
 regression test that ensures that the preconnect connection has the
 correct first party

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16998#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list