Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:  closed
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Let's test the patch as-is in the alpha. I am skeptical that the benefit
 is worth the usability penalty. If we think it is okay then I think the
 patch idea brought up by mcs is the better one.

 Applied to `tor-browser-build`'s `master` as commit
 7db15759a31a7381d0a43b1a40373cd9f970210a.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-linkability, TorBrowserTeam201802 => tbb-linkability,
 TorBrowserTeam201802R
 * status:  needs_revision => needs_review


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by cypherpunks):

 * keywords:  tbb-linkability, TorBrowserTeam201802R => tbb-linkability,
 TorBrowserTeam201802
 * status:  needs_review => needs_revision


Comment:

 > 2) extension-overrides.js is the wrong place for the patch.
 @mcs too: see what you've done with e10srollout.

 BTW, where do you see range requests now?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by mcs):

 * status:  needs_information => needs_review


Comment:

 Back to needs_review so we don't lose track of this ticket (gk will
 hopefully give a final opinion when he is back at his keyboard).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by pospeselr):

 Replying to [comment:17 mcs]:
 > I assume this is the code that is overriding the settings for
 `pdfjs.disableRange` when placed in `000-tor-browser.js`:
 > https://dxr.mozilla.org/mozilla-
 esr52/source/browser/extensions/pdfjs/content/PdfJs.jsm#79

 Yep exactly, this code goes in and overwrites the preference unless it's
 been set by a user, so updating the default system preference does nothing
 in 000-tor-browser.js just gets blown away.

 > How bad is performance when loading a large PDF with this change in
 place? I assume "time to first page display" increases significantly.

 Entirely dependent on how large the pdf is that you're trying to download,
 and how fast your circuit is.  Fortunately there is a progress bar in the
 pdf UI indicating the load progress, so it doesn't look like the browser
 is just hanging.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by mcs):

 * status:  needs_review => needs_information


Comment:

 Replying to [comment:14 pospeselr]:
 > Unfortunately, the user_pref setting doesn't seem to stick when placed
 in the usual 000-tor-browser.js, and it gets overwritten by pdfjs
 initialization code if specified in the usual fashion (verified with an
 rbm build).

 I assume this is the code that is overriding the settings for
 `pdfjs.disableRange` when placed in `000-tor-browser.js`:
 https://dxr.mozilla.org/mozilla-
 esr52/source/browser/extensions/pdfjs/content/PdfJs.jsm#79

 Maybe we should patch the above code instead and also add the the setting
 to `000-tor-browser.js` as a reminder that we care about the value for
 `pdfjs.disableRange`. Probably gk should decide which approach we want to
 use.

 How bad is performance when loading a large PDF with this change in place?
 I assume "time to first page display" increases significantly.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_revision => needs_review


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-linkability, TorBrowserTeam201802 => tbb-linkability,
 TorBrowserTeam201802R


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain (was: Range requests are not isolated to URL bar domain)

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by pospeselr):

 * Attachment "0001-Bug-15599-Range-requests-used-by-pdfjs-are-not-
 isola.patch" removed.


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by pospeselr):

 * Attachment "0001-Bug-15599-Range-requests-used-by-pdfjs-are-not-
 isola.patch" added.

 updated description to be grammatical

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by pospeselr):

 Unfortunately, the user_pref setting doesn't seem to stick when placed in
 the usual 000-tor-browser.js, and it gets overwritten by pdfjs
 initialization code if specified in the usual fashion (verified with an
 rbm build).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201802   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => needs_revision
 * keywords:  tbb-linkability, TorBrowserTeam201801R => tbb-linkability,
 TorBrowserTeam201802


Comment:

 Okay, let's try that in the alpha series a bit. I admit, though, I am a
 bit skeptical whether the possible usability issues are worth it. We'll
 see.

 But before that, two things:

 1) s/cannot/can/ (it seems to me one negation is already enough :) )
 2) `extension-overrides.js` is the wrong place for the patch. We don't
 treat `pdf.js` as en extension but rather as part of the browse core
 (after all it does not show up in the `about:addons` menu etc.). So, our
 usual prefs file, `000-tor-browser.js`, would be the better place.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201801R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by pospeselr):

 * status:  assigned => needs_review
 * keywords:  tbb-linkability, TorBrowserTeam201801 => tbb-linkability,
 TorBrowserTeam201801R


Comment:

 Patch to disable range-based requests in pdf.js.  Fixes the domain
 isolation issue, at the expense of usability.  With this pref flipped, the
 entire pdf must be downloaded before being viewed and interacted with.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201801   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by pospeselr):

 * Attachment "0001-Bug-15599-Range-requests-used-by-pdfjs-are-not-
 isola.patch" added.


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
-+-
 Reporter:  gk   |  Owner:
 |  pospeselr
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, |  Actual Points:
  TorBrowserTeam201712   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-linkability => tbb-linkability, TorBrowserTeam201712
 * owner:  tbb-team => pospeselr


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-linkability   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 And its OCSP requests too:
 {{{
 [05-29 18:16:40] Torbutton INFO: tor SOCKS: http://ocsp.usertrust.com/ via
--unknown--:acc796c227a065d5b876d251f00beb87
 }}}
 Replying to [ticket:15599 gk]:
 > Works even in a third party context with
 https://people.torproject.org/~gk/misc/range-request-test.html (your
 security slider level needs to be below medium-high in this case).
 {{{
 Security Error: Content at
 https://kpdyer.com/publications/usenix2014-fte.pdf#disableRange=true may
 not load data from https://people.torproject.org/~gk/misc/range-request-
 test.html.
 Load denied by X-Frame-Options:
 https://kpdyer.com/publications/usenix2014-fte.pdf#disableRange=true does
 not permit cross-origin framing.  (unknown)
 }}}
 Hrm, does PDF.js support Private Browsing Mode?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

[Tor Bug Tracker & Wiki]

#15599: Range requests used by pdfjs are not isolated to URL bar domain
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-linkability   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by bugzilla):

 * severity:   => Normal


Comment:

 {{{ff45-esr-will-have}}}?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs