Opened 3 years ago

Closed 3 years ago

#21741 closed task (fixed)

Check for proxy bypasses with new HTML Drag and Drop API

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, TorBrowserTeam201704, tbb-7.0-must-alpha, GeorgKoppen201704
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

We had issues in the past with drag and drop bypassing our proxy settings. There is a new API that got implemented which can do the things the old one did and more (see: https://bugzilla.mozilla.org/show_bug.cgi?id=906420, https://bugzilla.mozilla.org/show_bug.cgi?id=1289255, and https://bugzilla.mozilla.org/show_bug.cgi?id=1298243). We should assure that our old defense against proxy bypass holds.

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201703 removed

Moving tickets over to April

comment:2 Changed 3 years ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting this on our radar for alpha release in less than two weeks.

comment:3 Changed 3 years ago by gk

Keywords: GeorgKoppen201704 added

Putting tickets on my plate for the alpha.

comment:4 Changed 3 years ago by gk

Resolution: fixed
Status: newclosed

I checked the nightly build for drag-and-drop proxy bypasses with Wireshark and looked at Torbutton log output. I found no DNS leaks and there were no error messages in the drag-and-drop related Torbutton code either. Furthermore, I looked at the patches in the description and compared nsITransferable.idl between esr45 and esr52 and no new MIME types that are "url"-related got added. Thus, I think we are good here.

Note: See TracTickets for help on using tickets.