[tor-bugs] #18950 [Applications/Tor Browser]: Disable or audit Reader View in ESR 45

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 24 11:40:25 UTC 2016 

#18950: Disable or audit Reader View in ESR 45
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  gk
     Type:  task                                 |         Status:
 Priority:  Medium                               |  needs_review
Component:  Applications/Tor Browser             |      Milestone:
 Severity:  Normal                               |        Version:
 Keywords:  ff45-esr, TorBrowserTeam201605R,     |     Resolution:
  GeorgKoppen201605, tbb-6.0-must                |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * keywords:  ff45-esr, TorBrowserTeam201605, GeorgKoppen201605,
     tbb-6.0-must => ff45-esr, TorBrowserTeam201605R, GeorgKoppen201605,
     tbb-6.0-must
 * status:  assigned => needs_review


Comment:

 See bug_18950 (https://gitweb.torproject.org/user/gk/tor-
 browser.git/commit/?h=bug_18950) in my tor-browser repo for a patch.

 I did not disable the whole feature but made sure that the fingerprinting
 risks that might be associated with it are neutered. This is mainly done
 by flipping `reader.parse-on-load.enabled` to `false`. Having it set to
 `true` would discriminate between users with low memory computers
 (probably only some mobile ones) and those who have Reader View capable
 ones.

 This has the side-effect that the reader view icon is vanishing from the
 URL bar and the View menu making it harder to click on them by accident
 (at least on the desktop). See: https://mxr.mozilla.org/mozilla-
 esr45/source/browser/base/content/tab-content.js#331

 The other code path that goes to `_readerParse()` (https://mxr.mozilla.org
 /mozilla-esr45/source/toolkit/components/reader/ReaderMode.jsm#351) comes
 from the `about:reader` URL which is called if one already has saved an
 item in one's reader list. This is okay I think. Content seems not be able
 to use `about:reader` URLs to mess with a user's browsing session, a
 security error is thrown.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18950#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list