[tor-bugs] #18811 [Applications/Tor Browser]: Our first-party isolation patch incorrectly rejects blobs retrieved in workers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 20 17:52:10 UTC 2016
#18811: Our first-party isolation patch incorrectly rejects blobs retrieved in
workers
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner:
Type: defect | arthuredelstein
Priority: Medium | Status:
Component: Applications/Tor Browser | needs_information
Severity: Normal | Milestone:
Keywords: ff45-esr, TorBrowserTeam201605R, | Version:
tbb-6.0-must | Resolution:
Parent ID: | Actual Points:
Reviewer: | Points:
| Sponsor:
-------------------------------------------------+-------------------------
Comment (by arthuredelstein):
Replying to [comment:8 gk]:
> Could you elaborate whey we don't care about CSP just for blob: URLs?
blob: URLs result in pure JavaScript data that don't result in further
content being loaded from the network. So I don't think CSP is needed at
this in the blob loading process. I also looked downstream of the function
I am patching here, and there is apparently no access to CSP settings.
But it's possible I am missing something here. Is there any reason why a
blob would need an associated CSP?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18811#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list