#25147: Backport of fix shipped in Firefox 58.0.1?
 Reporter:  gk                        |          Owner:  pospeselr
     Type:  task                      |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201803R     |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by mcs):

 Replying to [comment:5 gk]:
 > Thanks, looks good to me.

 Kathy and I also reviewed the backported patch and we think it is okay. We
 do have a couple of questions:
 * Did we look at the "depends on" bug list from
 https://bugzilla.mozilla.org/show_bug.cgi?id=1432966? Maybe that explains
 some of the differences between the mozilla-central patch and the release
 one; for example, I just checked and the fix for
 https://bugzilla.mozilla.org/show_bug.cgi?id=1433414 is present.
 * The changes to `devtools/client/responsive.html/components/Browser.js`
 are missing. Do we need them? I guess the equivalent file in ESR52 is
 browser.js (with a lowercase-B).

 > I wonder whether we have some means to find out if there are instances
 of this problem that are solely on the ESR 52 branch which Mozilla did not
 deem worth enough to write a defense-in-depth for. But anyway, that should
 give us at least the protections available on -release.

 I think the only method is to look at all occurrences of `innerHTML =`,
 and that is a painful exercise. Kathy and I started that task and found
 some things that are in ESR52 but not in mozilla-central. Unfortunately,
 we had to give up after only getting part way through the huge list of
 files that need to be examined (we stopped somewhere in the d's, just
 after 'devtools'). For the record, here are the files we did find that
 contain `innerHTML =` statements that look like they should be patched:

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25147#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to