Opened 3 years ago

Closed 3 years ago

#21685 closed defect (fixed)

Remote New Tab pages have access to internal browser APIs in Firefox 52

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705R
Cc: fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

It is possible that remote New Tab pages have access to internal browser APIs in Firefox 52.

PreviewProvider Messaging API (https://bugzilla.mozilla.org/show_bug.cgi?id=1239119),
NewTabPrefsProvider Messaging API (https://bugzilla.mozilla.org/show_bug.cgi?id=1239118), and
PlacesProvider Messaging API (https://bugzilla.mozilla.org/show_bug.cgi?id=1239116)

are relevant. The content signature service (https://bugzilla.mozilla.org/show_bug.cgi?id=1252882) is important in this picture, too.

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by tokotoko

Cc: fdsfgs@… added

comment:2 Changed 3 years ago by cypherpunks

We should replace about:newtab with about:tor via Torbutton using NewTabURL.jsm API https://bugzilla.mozilla.org/show_bug.cgi?id=1118285
or via direct Firefox patch.

comment:3 Changed 3 years ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201703 removed

Moving tickets over to April

comment:4 Changed 3 years ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting this on our radar for alpha release in less than two weeks.

comment:5 Changed 3 years ago by gk

Priority: MediumHigh

This is higher prio.

comment:6 Changed 3 years ago by gk

Keywords: TorBrowserTeam201705 added; TorBrowserTeam201704 removed

Moving our tickets to May 2017.

comment:7 Changed 3 years ago by arthuredelstein

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201705 removed
Status: newneeds_review

The browser.newtabpage.remote pref is set to false in Firefox 52ESR by default. I looked at the relevant code and tried toggling the pref manually and I am convinced that remote pages are disabled in new tabs when the pref is false. So I don't think we need to worry about these additional APIs being accessed by remote pages.

We can also set the pref to false ourselves (redundantly) to be sure this doesn't change in the future. Here's a patch that does that:
https://github.com/arthuredelstein/tor-browser/commit/21685

comment:8 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Patch applied, thanks (commit 611b3ff60078725f036e253c5d10a3d01d8fde90 on tor-browser-52.1.0esr-7.0-2)

Note: See TracTickets for help on using tickets.