Opened 5 years ago

Closed 5 years ago

#15562 closed defect (fixed)

SharedWorker violates first party isolation

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-linkability, TorBrowserTeam201504R, tbb-4.5-alpha
Cc: mcs, gk, boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

Running a SharedWorker from an iframe allows passing of information via JavaScript between two websites. Here's a demo, where two tabs from different domains share uniquely identifying information. The first tab generates a random number, and the second tab displays the same random number.

https://arthuredelstein.github.io/tordemos/sharedworker-parent.html

Child Tickets

Change History (11)

comment:1 Changed 5 years ago by mcs

Cc: mcs added

comment:2 Changed 5 years ago by arthuredelstein

Description: modified (diff)
Summary: SharedWorker (and probably ServiceWorker) violate first party isolationSharedWorker violate first party isolation

(Narrowing ticket scope to SharedWorker only).

comment:3 Changed 5 years ago by arthuredelstein

Summary: SharedWorker violate first party isolationSharedWorker violates first party isolation

comment:4 Changed 5 years ago by arthuredelstein

Here's a patch for review that disables SharedWorkers:
https://github.com/arthuredelstein/tor-browser/commit/ff924f41b59068793d0785229619c33a2baa10ff

See #15564 for a ticket to re-enable SharedWorkers, but isolate them by first party domain.

comment:5 Changed 5 years ago by arthuredelstein

Keywords: TorBrowserTeam201504R added
Status: newneeds_review

comment:6 Changed 5 years ago by mikeperry

Keywords: tbb-4.5-alpha added

I think we should also create a patch for Torbutton to toggle this in torbutton_update_thirdparty_prefs().

comment:7 Changed 5 years ago by arthuredelstein

Here's a torbutton patch (6c6db77202). Please note the inclusion of the parent commit (c16e185af3) in this branch, which fixes an incorrect function call that I ran into when writing the patch for this ticket. Without that parent commit, torbutton throws a pref is not defined error for that line.

https://github.com/arthuredelstein/torbutton/commits/15562

comment:8 Changed 5 years ago by gk

Cc: gk added

comment:9 Changed 5 years ago by gk

Cc: boklm added

Okay, this is merged into tor-browser (commit ff924f41b59068793d0785229619c33a2baa10ff) and torbutton (commits c16e185af35ea05b0612e1453541fb6cadd5111b and d8d7f2a0d36407d1461666487238b2321e506db4) (I adapted the commit message for the latter a bit).

I added related prefs to the settings.js test in bug_15562_v2 in my tor-browser-bundle-testsuite repo (https://gitweb.torproject.org/user/gk/tor-browser-bundle-testsuite.git/commit/?h=bug_15562_v2&id=281d43f8af637af688a15c79aa5363378b5cb3ef).

comment:10 in reply to:  9 Changed 5 years ago by boklm

Replying to gk:

I added related prefs to the settings.js test in bug_15562_v2 in my tor-browser-bundle-testsuite repo (https://gitweb.torproject.org/user/gk/tor-browser-bundle-testsuite.git/commit/?h=bug_15562_v2&id=281d43f8af637af688a15c79aa5363378b5cb3ef).

Ok, I merged this change. I modified your commit a little to fix the syntax error:
https://gitweb.torproject.org/boklm/tor-browser-bundle-testsuite.git/commit/?id=48c6757518da5d35d6b0aaf51c797a8ad60c2415

comment:11 Changed 5 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Oh, man, this is embarrassing. I should have run the test at least :(. Thanks.

Note: See TracTickets for help on using tickets.