#8725: resource:// URIs leak information -------------------------------------------------+------------------------- Reporter: holizz | Owner: tbb- Type: defect | team Priority: Very High | Status: Component: Applications/Tor Browser | needs_review Severity: Major | Milestone: Keywords: tbb-fingerprinting, tbb-rebase- | Version: regression, tbb-testcase, tbb-firefox-patch, | Resolution: TorBrowserTeam201606R | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:32 arthuredelstein]: > I also made a test to see if I could use redirects from content to load resource:// or chrome:// URIs into <script> elements: > > https://arthuredelstein.github.io/tordemos/resource-locale.html > > In unpatched Firefox or TorBrowser, the redirects fail and the following error is shown in the Browser Console: > {{{ > Security Error: Content at https://arthuredelstein.github.io/tordemos /resource-locale.html may not load or link to jar:file:///Applications/Firefox.app/Contents/Resources/browser/omni.ja!/defaults/preferences /webide-prefs.js. > Security Error: Content at https://arthuredelstein.github.io/tordemos /resource-locale.html may not load or link to jar:file:///Applications/Firefox.app/Contents/Resources/browser/omni.ja!/chrome/browser/content/browser/browser.xul. > }}} Yes, I am not concerned with redirects breaking due to security errors. I have not tested this but not including cross-origin loads might help here. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:34> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs