#16874: https://sports.yahoo.com/dailyfantasy is broken with Tor Browser 5.0 on Windows -------------------------+------------------------------------------------- Reporter: gk | Owner: tbb-team Type: defect | Status: new Priority: normal | Milestone: Component: Tor | Version: Browser | Keywords: tbb-usability-website, Resolution: | tbb-5.0-regression, TorBrowserTeam201509 Actual Points: | Parent ID: Points: | -------------------------+-------------------------------------------------
Comment (by mikeperry): I'm unfamiliar with the new Services.scriptloader.loadSubScript API, but looking it up, it seems common for people to use https://developer.mozilla.org/en- US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.Sandbox with it still, to cause the script to evaluate with content privileges.. Are you sure that what you did with XPCNativeWrapper.unwrap() instead is safe there? There's two main sources of risk when doing stuff like this: 1. Adding Intl.js from chrome could cause the Intl.js expandos to actually have chrome privileges inside the content window. This seems unlikely, but again I'm not sure. 2. The polyfill itself may be running with chrome privs when installing itself, which means that if it touches an unwrapped window property, it may be induced to execute content code (in the form of a getter/setter, perhaps) that way, in a privileged setting. For some reason, I can't seem to find any documentation on either of these risks. Perhaps that's because this new API is magically safe no matter how you use it? Maybe this is a question for #security on irc.mozilla.org, and/or some testing? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16874#comment:15> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
