[tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Sep 27 07:27:01 UTC 2017
#22501: Requests via javascript: violate FPI
---------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: pospeselr
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-linkability, noscript | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------+-----------------------------------
Changes (by gk):
* cc: ma1 (added)
* status: assigned => needs_information
* keywords: tbb-linkability => tbb-linkability, noscript
Comment:
Thanks for tracking this down. Giorgio: could you have a look at that one?
I guess the intended behavior is: *if* we need to issue a request due to
clicking on a `javascript:` link then it should adhere to our first-party
isolation. That probably means NoScript itself should not issue that
request as this is treated as a browser internal request which gets put
onto the catch-all circuit (due to lack of URL bar domain information).
Does that make sense to you, Giorgio?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22501#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list