[tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 27 18:20:29 UTC 2017

#22501: Requests via javascript: violate FPI
 Reporter:  cypherpunks                |          Owner:  pospeselr
     Type:  defect                     |         Status:  assigned
 Priority:  High                       |      Milestone:
Component:  Applications/Tor Browser   |        Version:
 Severity:  Major                      |     Resolution:
 Keywords:  tbb-linkability, noscript  |  Actual Points:
Parent ID:                             |         Points:
 Reviewer:                             |        Sponsor:

Comment (by pospeselr):

 So the noscript.fixLinks will disable the custom onclick handler (which is
 what does the above described behaviour) but also disables a custom
 onchange handler (for select and option elements).

 However, for Tor Browser that's a good thing, as it has a similar feature
 whereby it will automatically try to navigate to a selected option if it
 looks like a URL (the threshold for 'looks like a URL' is even lower
 though: value contains '/' or '.' and does not contain '@').  This URL
 will try to be navigated through the same code-path, so would have the
 same browser internal request gk mentioned.

 Updating TorButton to set turn off the noscript.fixLinks option should
 work, will have a patch up in a bit.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22501#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list