Opened 6 years ago

Closed 6 years ago

#13044 closed task (fixed)

Enumerate all objects available to WebWorkers and content

Reported by: mikeperry Owned by: boklm
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: ff31-esr, tbb-testcase, TorBrowserTeam201409
Cc: boklm, gacar, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In #13027, we learned that WebWorkers do in fact have a different, custom view of important objects like window.navigator.

For completeness, we should probably enumerate all objects visible properties of WebWorkers in Tor Browser and Firefox 31ESR, and verify that there are no surprising differences (or other objects we're concerned about).

I believe we already incorporated a test from iSEC to do this with the normal content window. We should probably augment that to examine WebWorkers, too, and then run it for differences on both.

Child Tickets

Attachments (2)

worker_test.html (1.2 KB) - added by gacar 6 years ago.
worker_test.js (1.0 KB) - added by gacar 6 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 6 years ago by mikeperry

Keywords: tbb-testcase added

comment:2 Changed 6 years ago by gacar

I checked ESR31 with the attached code:

  • ESR31 brings 4 new navigator properties: taintEnabled, appCodeName, product, onLine.
  • there's no screen in worker context and window (self) properties are limited.
  • mismatching `window` properties doesn't seem harmful

Below is the list of all properties in ESR31 worker context and whether they match the global window (PASS) or not (FAIL):

  • PASS - navigator.taintEnabled: function taintEnabled() { [native code] }
  • PASS - navigator.appCodeName: Mozilla
  • PASS - navigator.appName: Netscape
  • PASS - navigator.appVersion: 5.0 (X11)
  • PASS - navigator.platform: Linux i686
  • PASS - navigator.userAgent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0
  • PASS - navigator.product: Gecko
  • PASS - navigator.onLine: true
  • PASS - window.postMessage: function postMessage() { [native code] }
  • PASS - window.onmessage: null
  • PASS - window.close: function close() { [native code] }
  • FAIL - window.importScripts: function importScripts() { [native code] } != undefined
  • PASS - window.dump: function dump() { [native code] }
  • PASS - window.btoa: function btoa() { [native code] }
  • PASS - window.atob: function atob() { [native code] }
  • PASS - window.setTimeout: function setTimeout() { [native code] }
  • PASS - window.clearTimeout: function clearTimeout() { [native code] }
  • PASS - window.setInterval: function setInterval() { [native code] }
  • PASS - window.clearInterval: function clearInterval() { [native code] }
  • FAIL - window.self: [object DedicatedWorkerGlobalScope] != [object Window]
  • PASS - window.console: [object Console]
  • FAIL - window.location: test_pages/worker_test.js != test_pages/worker_test.html
  • PASS - window.onerror: null
  • PASS - window.onoffline: null
  • PASS - window.ononline: null
  • FAIL - window.navigator: [object WorkerNavigator] != [object Navigator]
  • FAIL - window.onclose: null != undefined
  • PASS - window.addEventListener: function addEventListener() { [native code] }
  • PASS - window.removeEventListener: function removeEventListener() { [native code] }
  • PASS - window.dispatchEvent: function dispatchEvent() { [native code] }

Changed 6 years ago by gacar

Attachment: worker_test.html added

Changed 6 years ago by gacar

Attachment: worker_test.js added

comment:3 Changed 6 years ago by gk

Cc: gk added

comment:4 Changed 6 years ago by gacar

The list in comment 2 only includes the objects available in the WebWorker context.
MDN also has a list of APIs available to workers:

Given that workers run with chrome capabilities (#13027, #1062920), we should give a good check to these APIs.

comment:5 Changed 6 years ago by gacar

I checked if Components.interfaces (or .classes) is available in WebWorker context per Mike's question on IRC meeting. It seems they're not available (checked with vanilla Firefox 32, ESR24, ESR31 and TBB 3.5). I'll be writing a test to make sure they stay inaccessible.

comment:6 in reply to:  4 Changed 6 years ago by gacar

Replying to gacar:

Given that workers run with chrome capabilities (#13027, #1062920)...

This was probably not true, it's just worker initialization step running with chrome privileges. See, https://trac.torproject.org/projects/tor/ticket/13027#comment:11

comment:7 Changed 6 years ago by mikeperry

Resolution: fixed
Status: newclosed

Ok, I think we can call this done. We obviously still need to address #13027, but the initial auditing work seems good here.

We still probably want to convert this to an automated test for the next time, though. Perhaps the best plan is to file a new ticket for that and tag it ff38-esr?

Note: See TracTickets for help on using tickets.