[tor-commits] [tor-browser-build/master] Bug 15599: Range requests used by pdfjs are not isolated to URL bar domain

gk at torproject.org gk at torproject.org
Wed Feb 21 07:59:14 UTC 2018


commit 7db15759a31a7381d0a43b1a40373cd9f970210a
Author: Richard Pospesel <richard at torproject.org>
Date:   Thu Jan 18 19:15:55 2018 -0800

    Bug 15599: Range requests used by pdfjs are not isolated to URL bar domain
    
    After much debugging and investigation, it seems that the required
    information needed to drive the first-party domain cannot be accessed in
    the XmlHttpRequest creation path.  The JS context the part of pdf.js making
    the range requests runs with does not have a reference to parent window and
    associated LoadInfo information (which includes the requesting first-party
    domain).
    
    To fix the issue, we can easily disable support for range-based requests
    via the pdfjs.disableRange property.  However, the side-effect here is
    that pages can not be read as they load; the entire pdf must be
    downloaded before it can be read and interacted with.
    
    This patch updates each platforms extension-overrides.js to change this
    pref.
---
 .../Data/Browser/profile.default/preferences/extension-overrides.js   | 4 ++++
 .../Data/Browser/profile.default/preferences/extension-overrides.js   | 4 ++++
 .../Data/Browser/profile.default/preferences/extension-overrides.js   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js b/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
index 54dcf91..9476edc 100644
--- a/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
+++ b/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
 pref("noscript.showVolatilePrivatePermissionsToggle", false);
 pref("noscript.volatilePrivatePermissions", true);
 pref("noscript.clearClick", 0);
+
+# PDF.js
+// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
+user_pref("pdfjs.disableRange", true);
diff --git a/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js b/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
index 54dcf91..9476edc 100644
--- a/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
+++ b/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
 pref("noscript.showVolatilePrivatePermissionsToggle", false);
 pref("noscript.volatilePrivatePermissions", true);
 pref("noscript.clearClick", 0);
+
+# PDF.js
+// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
+user_pref("pdfjs.disableRange", true);
diff --git a/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js b/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js
index 54dcf91..9476edc 100644
--- a/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js
+++ b/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js
@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
 pref("noscript.showVolatilePrivatePermissionsToggle", false);
 pref("noscript.volatilePrivatePermissions", true);
 pref("noscript.clearClick", 0);
+
+# PDF.js
+// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
+user_pref("pdfjs.disableRange", true);



More information about the tor-commits mailing list