Opened 3 months ago

Closed 2 months ago

#26590 closed defect (fixed)

SVG isn't blocked in Safest security setting with 8.0a9

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, tbb-security-slider, TorBrowserTeam201807R
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

SVG doesn't seem to be blocked in Safest security setting with 8.0a9 (Linux)

Child Tickets

Change History (13)

comment:1 Changed 3 months ago by cypherpunks

Looking at about:support one does find

svg.in-content.enabled false

comment:2 in reply to:  description ; Changed 3 months ago by gk

Status: newneeds_information

Replying to cypherpunks:

SVG doesn't seem to be blocked in Safest security setting with 8.0a9 (Linux)

What makes you believe so? Do you have an example that is blocked in Tor Browser stable but not in the alpha?

comment:3 in reply to:  2 Changed 3 months ago by cypherpunks

Replying to gk:

Replying to cypherpunks:

SVG doesn't seem to be blocked in Safest security setting with 8.0a9 (Linux)

What makes you believe so? Do you have an example that is blocked in Tor Browser stable but not in the alpha?

I just noticed that quickly while going into my Github account and trying to report an issue and I saw that the "edit" button icon was present when normally it wasn't with the stable series [I may be wrong though if Github added a png fallback, so very sorry in that case for my misleading report] (as well as the non-presence of the canvas anti-fp notification on first visit to Github, though that may be a fix in Firefox?)

comment:4 in reply to:  1 ; Changed 3 months ago by mcs

Replying to cypherpunks:

Looking at about:support one does find

svg.in-content.enabled false

Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1216893, it looks like the correct pref name is now svg.disabled. Does the incorrect behavior you observed disappear if you use about:config to set that pref to false?

comment:5 in reply to:  4 Changed 3 months ago by cypherpunks

Replying to mcs:

Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1216893, it looks like the correct pref name is now svg.disabled. Does the incorrect behavior you observed disappear if you use about:config to set that pref to false?

I can confirm.

comment:6 Changed 3 months ago by cypherpunks

Status: needs_informationnew

comment:7 Changed 3 months ago by cypherpunks

Keywords: ff60-esr tbb-security-slider TorBrowserTeam201807 added

What?! Again?! Now the reversed #21885. Also check for #16607.

comment:8 Changed 3 months ago by arthuredelstein

Cc: arthuredelstein added

comment:9 Changed 3 months ago by gk

Priority: MediumVery High

comment:10 Changed 3 months ago by gk

Priority: Very HighHigh

comment:11 Changed 2 months ago by arthuredelstein

I confirmed we need to update the pref name. Here's a patch that does that:

https://github.com/arthuredelstein/torbutton/commit/26590

comment:12 Changed 2 months ago by arthuredelstein

Keywords: TorBrowserTeam201807R added; TorBrowserTeam201807 removed
Status: newneeds_review

comment:13 Changed 2 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. Merged to master (commit 54c64d2ea862873a42e6049e2e1aa2bc4a5b2b27)

Note: See TracTickets for help on using tickets.