#25147: Backport of fix shipped in Firefox 58.0.1? --------------------------------------+------------------------------ Reporter: gk | Owner: pospeselr Type: task | Status: needs_review Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: TorBrowserTeam201803R | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+------------------------------
Comment (by gk): Replying to [comment:6 mcs]: > Replying to [comment:5 gk]: > > Thanks, looks good to me. > > Kathy and I also reviewed the backported patch and we think it is okay. We do have a couple of questions: > * Did we look at the "depends on" bug list from https://bugzilla.mozilla.org/show_bug.cgi?id=1432966? Maybe that explains some of the differences between the mozilla-central patch and the release one; for example, I just checked and the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1433414 is present. Yes, I did that during the review and I think basically all the differences between the m-c and the m-r patch can be explained that way. > * The changes to `devtools/client/responsive.html/components/Browser.js` are missing. Do we need them? I guess the equivalent file in ESR52 is browser.js (with a lowercase-B). Good question and nice catch! I have not checked the source but it does not seem to be unreasonable. > > I wonder whether we have some means to find out if there are instances of this problem that are solely on the ESR 52 branch which Mozilla did not deem worth enough to write a defense-in-depth for. But anyway, that should give us at least the protections available on -release. > > I think the only method is to look at all occurrences of `innerHTML =`, and that is a painful exercise. Kathy and I started that task and found some things that are in ESR52 but not in mozilla-central. Unfortunately, we had to give up after only getting part way through the huge list of files that need to be examined (we stopped somewhere in the d's, just after 'devtools'). For the record, here are the files we did find that contain `innerHTML =` statements that look like they should be patched: > browser/base/content/newtab/sites.js > browser/components/customizableui/CustomizeMode.jsm > browser/components/syncedtabs/SyncedTabsDeckView.js I could ask one of the Moz engineers whether there is a better way. IIRC there is somewhere a doc where the listed all the things they checked wrt ESR 52. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25147#comment:7> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs