[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 27 23:22:03 UTC 2018
#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------------------+-------------------------
Reporter: gk | Owner: ma1
Type: defect | Status:
| needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: noscript, tbb-security, tbb- | Actual Points:
torbutton, tbb-8.0-issues, tbb-regression, |
TorBrowserTeam201812R |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by ma1):
* status: needs_review => needs_information
Comment:
An afterthough: some users are complaining that having TRUSTED subframes
constrained by DEFAULT/UNTRUSTED parent document is annoying, if not
disfunctional: for instance if you've set Youtube to TRUSTED, embedded
movies used to work without the need of raising privileges of the parent
page. One may object that you could always use "show only this frame", but
do we really have a strong case here for cascading inline restrictions to
trusted subdocuments? What's the threat model we're guarding against
(beside clickjacking, which is orthogonal to scripting though)?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list