[tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 14 14:02:33 UTC 2018


#27427: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
-------------------------------------------------+-------------------------
 Reporter:  rustybird                            |          Owner:
                                                 |  arthuredelstein
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201809R,               |  Actual Points:
  tbb-8.0.1-can                                  |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by cypherpunks3):

 Replying to [comment:15 ma1]:
 > It should not: NoScript defers all the HTTP(S) traffic until its policy
 is configured and ready to be enforced.
 Ok, so let's say it only breaks in harmless cases. Regardless, it still
 looks like a bug to me: the handler for `fetchChildPolicy` is running
 before making sure the state is properly initialised; for example, the
 object `ns.policy` is used and dereferenced in `getForDocument` even
 though it could still be null. Or maybe I'm wrong, I'm just reading this
 code now.

 > about:blank, data: and file: URLs are those which might suffer of this
 problem, because NoScript has no means to prevent them from loading before
 it's initialized.
 Does that mean that the approach mentioned there [ticket:27553#comment:3]
 is unreliable because of this race?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27427#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list