Opened 4 years ago

Last modified 8 months ago

#15825 new defect

webgl.disable-extensions true about:config setting may allow DoS and breaks websites

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-fingerprinting
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Reference #3323 and #6370 ...

"The conclusion is that if we set webgl.min_capability_mode and webgl.disable-extensions, our primary API-level fingerprinting concerns are addressed."

However, I am concerned because this presumably disables security extensions such as GL_ARB_robustness too, making it easier for malicious content to cause crashes on the user's computer (some of which can lead to things such as remote code execution).

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by cypherpunks

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 4 years ago by gk

Cc: gk added

comment:3 Changed 2 years ago by cypherpunks

Keywords: tbb-security added
Severity: Normal

comment:4 Changed 8 months ago by gk

Keywords: tbb-fingerprinting added
Summary: webgl.disable-extensions true about:config setting may allow DoSwebgl.disable-extensions true about:config setting may allow DoS and breaks websites

Let's get the usability angle in this ticket as well trying to collect a single place where we deal with allowing those extensions. See: #29246 for steps to reproduce for https://demo.marpi.pl/biomes/ and the report on the blog: https://blog.torproject.org/comment/279587#comment-279587

Note: See TracTickets for help on using tickets.