Opened 5 years ago

Closed 5 years ago

#15460 closed defect (fixed)

FTP requests are not isolated to first party domain

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-4.5-alpha, TorBrowserTeam201503R
Cc: arthuredelstein, mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While looking at Torbutton patches Mike committed last night I realized we are not isolating FTP requests to the URL bar domain. This does not only lead to top level FTP requests not showing up in the circuit display but rather to all embedded FTP requests sent over the default circuit. I fear there are quite a number of risks involved in this design that give a malicious website(s) ample chances to correlate user traffic at least.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by gk

I hope I can come up with something later today but definitely think we should fix that. At least before we ship a stable release with domain isolation.

comment:2 Changed 5 years ago by arthuredelstein

Keywords: TorBrowserTeam201503R added
Status: newneeds_review

comment:3 Changed 5 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Ok, I tested this and it does print out the log message with the patch. It didn't even properly load the ftp image without the patch.

Note: See TracTickets for help on using tickets.