Hello, I'm the author of the Torbutton Firefox extension (https://torbutton.torproject.org/dev) which attempts to make Firefox safe to use with the Tor privacy network.
I've spent the last few days trying to fix https://bugzilla.mozilla.org/show_bug.cgi?id=409737, but I've been having little luck. In summary, the issue is that javascript event handlers registered with addEvetnListener are not disabled by javascript.enabled or docShell.allowJavascript on pages that are kept open after the toggle. An example of this is at http://fscked.org/transient/firefoxjsbug.html. The reason this bug so serious for Tor security is that when a user toggles Tor from 'on' to 'off' (or the reverse) while leaving their Tabs open, javascript and dynamic content can compromise their anonymity by fetching URLs encoded with unique identifiers after the Tor state has changed. For example, these event handlers make it possible to do such network activity whenever the user's mouse enters the content window. While wading through the Firefox code, it appeared to me that event listeners were handled by most DOM objects via a nsEventListenerManager member instance. Specifically, it seemed to me that nsEventListenerManager::HandleEventSubType should be the codepath for javascript listeners, because it compiled the handler and then called out to nsJSEventListener::HandleEvent. But as far as I can tell, this codepath is actually performing the proper nsScriptSecurityManager::CanExecuteScripts check by calling CheckFunctionAccess from nsJSContext::CallEventHandler, and is not the one being used when javascript addEventListerner event handlers are being called. I've tried investigating individual DOM elements such as nsDocument and nsGenericElement, but there are so many instances which these are called it is hard to differentiate where the page javascript calls are actually made (as opposed to chrome and general browser events). Can anyone on these lists suggest which codepaths might be involved in calling javascript event listeners registered with addEventListener? If you are feeling particularly helpful, suggesting any other codepaths that might still allow Javascript to be executed after scripts have been disabled would be greatly appreciated as well. -- Mike Perry Mad Computer Scientist fscked.org evil labs
pgpJHpYkpvcRf.pgp
Description: PGP signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
