Opened 5 years ago

Last modified 3 years ago

#12683 new defect

Permissions in nsIPermissionManager aren't cleared with TorButton's "New Identity"

Reported by: isis Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, tbb-newnym, tbb-torbutton
Cc: isis, mikeperry, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


When TorButton's "New Identity" button is pressed, the permissions stored with nsIPermissionManager aren't cleared, even though nsIPermissionManager.removeAll() is called.

From torbutton_do_new_identity() in src/chrome/content/torbutton.js:

  torbutton_log(3, "New Identity: Clearing permissions");
  let pm = Cc[";1"].

  torbutton_log(3, "New Identity: Sending NEWNYM");

There's a ton of info stored in this thing, including how many time the site has been visited, if popups are allowed, if a site can access offline storage, etc. For me, several dozen sites are listed after clicking "New Identity". It seems to have been keeping these permissions for quite a while, as some of my sites are reported to have hundreds of visits.

To reproduce, do some stuff in TorBrowser for a while, then click "TorButton > New Identity", then navigate to about:permissions.

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by mikeperry

Keywords: tbb-newnym added
Priority: normalmajor

comment:2 in reply to:  description Changed 5 years ago by gk

Component: TorbuttonTorBirdy
Owner: set to ioerror

Replying to isis:

To reproduce, do some stuff in TorBrowser for a while, then click "TorButton > New Identity", then navigate to about:permissions.

I think I followed these instructions closely but was not able to reproduce your problem. :) Do you have some, well, more fain-grained steps for me?

comment:3 Changed 5 years ago by gk

Component: TorBirdyTorBrowserButton
Owner: changed from ioerror to mikeperry

comment:4 Changed 5 years ago by erinn

Component: TorBrowserButtonTor Browser
Keywords: tbb-torbutton added
Owner: changed from mikeperry to tbb-team

comment:5 Changed 5 years ago by isis

Hmm. I tested on two machines, both of which were able to reproduce this issue, and both of which had:

Preference Name Value
extensions.torbutton.block_disk false
extensions.torbutton.saved.disk_cache true

Then I tested on a third machine with:

Preference Name Value
extensions.torbutton.block_disk true
extensions.torbutton.saved.disk_cache true

So it seems like, perhaps, if TorButton's block_disk patches are disabled, then FF writes the nsIPermissionsManager preferences to disk, and TorButton isn't able to clear them from disk, even when calling nsIPermissionsManager.removeAll(). Perhaps nsIPermissionsManager.removeAll() is broken?

Version 0, edited 5 years ago by isis (next)

comment:6 Changed 3 years ago by bugzilla

Severity: Normal

about:permissions was removed from FF45 ESR: (Remove about:permissions from Firefox)

Last edited 3 years ago by bugzilla (previous) (diff)
Note: See TracTickets for help on using tickets.