Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:  fixed
 Keywords:  tbb-fingerprinting, tbb-rebase-  |  Actual Points:
  regression, tbb-testcase, tbb-firefox-patch,   |
  TorBrowserTeam201607R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 It has been fixed in Firefox 57
 https://bugzilla.mozilla.org/show_bug.cgi?id=863246

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:  fixed
 Keywords:  tbb-fingerprinting, tbb-rebase-  |  Actual Points:
  regression, tbb-testcase, tbb-firefox-patch,   |
  TorBrowserTeam201607R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 See #21396.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:  fixed
 Keywords:  tbb-fingerprinting, tbb-rebase-  |  Actual Points:
  regression, tbb-testcase, tbb-firefox-patch,   |
  TorBrowserTeam201607R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 That shipped in 6.5. We are done here.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |  Actual Points:
  regression, tbb-testcase, tbb-firefox-patch,   |
  TorBrowserTeam201607R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by mcs):

 Also see #19837

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |  Actual Points:
  regression, tbb-testcase, tbb-firefox-patch,   |
  TorBrowserTeam201607R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => assigned


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by nord-stream):

 * cc: nord-stream@… (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 Replying to [comment:40 mikeperry]:
 > 1. I think it *might* have been better to use http-on-modify-request
 here rather than both the content policy and the response listener, but
 you might also not have as much information there about the source content
 url. Maybe this doesn't matter so much, since what we really want is a
 direct Firefox patch. The extra observers will have a perf cost, though.

 The CSP is required because `http-on-modify-request` events dont' fire for
 `recourse://` urls, unfortunately.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by mikeperry):

 * cc: boklm (added)


Comment:

 Couple points:

 1. I think it *might* have been better to use http-on-modify-request here
 rather than both the content policy and the response listener, but you
 might also not have as much information there about the source content
 url. Maybe this doesn't matter so much, since what we really want is a
 direct Firefox patch. The extra observers will have a perf cost, though.
 2. Given that we want to replace this by a direct patch, we should turn
 arthur's https://arthuredelstein.github.io/tordemos/resource-locale.html
 into a Tor Browser test of some kind to verify that future versions behave
 the same way. Boklm, can you handle that? Also, please add a test for
 https://trac.torproject.org/projects/tor/ticket/8725#comment:38 about the
 nested schemes. We should test that too.

 Otherwise, I think this is OK, and I agree it is an improvement. For now,
 I will merge this into the torbutton master branch for TBB 6.5-alpha,
 since it may shake a few more issues loose.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Replying to [comment:37 yawning]:
 > https://git.schwanenlied.me/yawning/torbutton/commits/bug8725_take3
 >
 > One more change to handle redirects properly.

 r=me

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Do nested schemes (`view-source:`, `jar:`, etc.) leak information about
 existing restricted resources? Although I tend to think those schemes are
 inaccessible from content, that does not necessarily guarantee no
 information leak.

 Ex.
 Is `view-source:chrome://nonexistent/content/` denied the same way as
 `view-source:chrome://torbutton/content/`?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 https://git.schwanenlied.me/yawning/torbutton/commits/bug8725_take3

 One more change to handle redirects properly.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Here's another variant (XHR of resource:/// URIs) that yawning's patch
 successfully defends against:

 https://bugzilla.mozilla.org/show_bug.cgi?id=1120398

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:32 arthuredelstein]:
 > I also made a test to see if I could use redirects from content to load
 resource:// or chrome:// URIs into 

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 https://git.schwanenlied.me/yawning/torbutton/commits/bug8725_take2

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 I also made a test to see if I could use redirects from content to load
 resource:// or chrome:// URIs into 

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 FWIW, I tested Yawning's branch and confirmed it prevents
 https://www.browserleaks.com/firefox from accessing the resource:///
 files.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 Replying to [comment:29 cypherpunks]:
 > My original idea is that only privileged `chrome://` or `about:` pages
 can initiate a redirect to the blocked resources. If there is no such
 redirecting URIs accessible from content, there should be no leaks.

 After looking at the documentation and the relevant specs, I'm 99.9% sure
 you're correct.

 `XMLHttpRequest()` will fail the same-origin check, since the request is
 not coming from internal to the Firefox code (requests dispatched from
 inside Firefox can bypass the check completely, but poorly written addons
 are not our problem).

 `Fetch()` refuses to have anything to do with redirects to non-HTTP(s)
 scheme URLs. (See: 5.4 HTTP-redirect fetch).

 > However, testing is needed anyway.

 Yeah.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 My original idea is that only privileged `chrome://` or `about:` pages can
 initiate a redirect to the blocked resources. If there is no such
 redirecting URIs accessible from content, there should be no leaks.
 However, testing is needed anyway.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 Replying to [comment:27 gk]:
 > {{{
 > The second one is that shouldLoad is not invoked for redirects. You only
 get one call, for the first URL requested. If you let it pass, it can
 redirect anywhere without you noticing it.
 > }}}
 > https://developer.mozilla.org/en-US/Add-
 ons/Overlay_Extensions/XUL_School/Intercepting_Page_Loads
 >
 > So, my first guess would be that redirects can bypass this blocking
 mechanism. Did anybody test this?

 I have not.  If `nsIWebProgressListener2` fire, at the right time for
 chrome/resource URLs that may be an option here (specifically we want the
 `onRefreshAttempted()` callback).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 {{{
 The second one is that shouldLoad is not invoked for redirects. You only
 get one call, for the first URL requested. If you let it pass, it can
 redirect anywhere without you noticing it.
 }}}
 https://developer.mozilla.org/en-US/Add-
 ons/Overlay_Extensions/XUL_School/Intercepting_Page_Loads

 So, my first guess would be that redirects can bypass this blocking
 mechanism. Did anybody test this?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Now that #18914 is fixed, this is an important remaining hole that needs
 an immediate fix. With this fixed, there will be no known locale leak as
 far as I know. -- Thanks!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201606R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by yawning):

 * status:  new => needs_review
 * keywords:
 tbb-fingerprinting, tbb-rebase-regression, tbb-testcase, tbb-firefox-
 patch
 =>
 tbb-fingerprinting, tbb-rebase-regression, tbb-testcase, tbb-firefox-
 patch, TorBrowserTeam201606R


Comment:

 I pushed a change to also restrict `chrome://` URIs, regardless of
 `contentaccessible`, per discussion with gk.  It sort of sucks that
 certain addons will break, but they aren't the standard Tor Browser set.

 I leave it up to the Tor Browser people if they want to take that commit
 or not.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Major|Version:
 Keywords:  tbb-fingerprinting, tbb-rebase-  | Resolution:
  regression, tbb-testcase, tbb-firefox-patch|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 
https://git.schwanenlied.me/yawning/torbutton/commit/0deee1b15b0b7fb6551d17827dc9cdd604ff35b9

 Was what I had in mind as far as how to integrate it into torbutton (Yes,
 it works).  Hopefully a real browser developer will take over from here.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Major|Version:
 Keywords:  tbb-fingerprinting, tbb-rebase-  | Resolution:
  regression, tbb-testcase, tbb-firefox-patch|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 Replying to [comment:22 cypherpunks]:
 > Although the example add-on is GPL-3, I licensed the content policy code
 under MPL-2. Is MPL too restrictive? (Then we'll need to consider a BSD or
 the MIT/X11 license.) But the Mozilla codebase is under MPL anyway...
 > https://notabug.org/desktopd/no-resource-uri-leak/src/master/src
 /resource-filter

 FWIW, the current torbutton license is
 https://gitweb.torproject.org/torbutton.git/tree/src/LICENSE (Which seems
 sort of historical).  And I don't really care either way, but it's
 ultimately not my call, I just want this fixed.

 My plan was to integrate it into torbutton, instead of having it be a
 separate addon, though I'll drop the idea if the browser developers tell
 me that this should be solved another way.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Major|Version:
 Keywords:  tbb-fingerprinting, tbb-rebase-  | Resolution:
  regression, tbb-testcase, tbb-firefox-patch|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Although the example add-on is GPL-3, I licensed the content policy code
 under MPL-2. Is MPL too restrictive? (Then we'll need to consider a BSD or
 the MIT/X11 license.) But the Mozilla codebase is under MPL anyway...
 https://notabug.org/desktopd/no-resource-uri-leak/src/master/src/resource-
 filter

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Major|Version:
 Keywords:  tbb-fingerprinting, tbb-rebase-  | Resolution:
  regression, tbb-testcase, tbb-firefox-patch|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 Replying to [comment:19 cypherpunks]:
 > I have a workaround for this.
 > Can you please look at https://addons.mozilla.org/en-US/firefox/addon
 /no-resource-uri-leak/ ?

 As far as I can tell the approach you're taking is the only way to do this
 (the `http-on-modify-request` event does not fire for `resource://` URLs
 for obvious reasons, so a content policy is required).  Not sure what the
 Tor Browser policy is on licensing.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Major|Version:
 Keywords:  tbb-fingerprinting, tbb-rebase-  | Resolution:
  regression, tbb-testcase, tbb-firefox-patch|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by saint):

 * cc: griffinboyce@… (removed)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Major|Version:
 Keywords:  tbb-fingerprinting, tbb-rebase-  | Resolution:
  regression, tbb-testcase, tbb-firefox-patch|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 I have a workaround for this.
 Can you please look at https://addons.mozilla.org/en-US/firefox/addon/no-
 resource-uri-leak/ ?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs