[tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 26 22:23:34 UTC 2017

#22501: Requests via javascript: violate FPI
 Reporter:  cypherpunks               |          Owner:  pospeselr
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-linkability           |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by pospeselr):

 So the problem here is NoScript with 'noscript.global' preference enabled
 (hence why only happens when in Medium or Higher security setting).

 When an <a> element is clicked and the href attribute starts with
 'javascript:' NoScript tries to heuristically extract a URI from the
 source by looking for a string between " or ' characters that does not
 contain invalid URI characters (
 ) and uses that as the href string instead, passing this new href on to an
 XMLHttpRequest at which point everything happens as normal.

 It will interpret the href as relative to the document's URI, unless the
 href is itself an absolute URL (per https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIIOService#newURI() ).

 This has some really cool consequences such that this <a> element will go
 to github when clicked with NoScript enabled:

 <a href="javascript:/* code from 'http://www.github.com' */

 proof: https://pste.eu/p/pWdf.html

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22501#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list