Tor Browser locale is leaked via title of link tag on non-html page

ryotak reported via our HackerOne bug bounty program that the Tor Browser locale is leaked via the title of the link tag on any non-html page.

For a test ryotak came up with see: https://people.torproject.org/~gk/tests/tor_plaintext_locale_leak.html.

added component::applications/tor browser ff68-esr-will-have owner::tbb-team priority::high resolution::fixed severity::normal sponsor::44-can status::closed tbb-fingerprinting-locale type::defect labels

Trac:
Summary: Tor Browser locale is leaked via title of link tag on 404 error page to Tor Browser locale is leaked via title of link tag on non-html page
Description: ryotak reported via our HackerOne bug bounty program that the Tor Browser locale is leaked via the title of link tag on 404 error page.

For a test ryotak came up with see: https://people.torproject.org/~gk/tests/tor_plaintext_locale_leak.html.

to

ryotak reported via our HackerOne bug bounty program that the Tor Browser locale is leaked via the title of the link tag on any non-html page.

For a test ryotak came up with see: https://people.torproject.org/~gk/tests/tor_plaintext_locale_leak.html.

FWIW: this behavior (or at least the PoC) stopped working as of FF68+, so you should be good to go in the next ESR cycle. It returns a blank.

Replying to Thorin:

FWIW: this behavior (or at least the PoC) stopped working as of FF68+, so you should be good to go in the next ESR cycle. It returns a blank.

Interesting, I wonder what bugfix on Mozilla's side is responsible for that...

Trac:
Keywords: N/A deleted, ff68-esr-will-have added

The error is 68+ is

Security Error: Content at https://people.torproject.org/~gk/tests/test.txt may not load or link to re[/content-accessible/plaintext.css.](/content-accessible/plaintext.css`.)

If I'm following this correctly:

• 57+ https://bugzilla.mozilla.org/show_bug.cgi?id=863246 - blocked re[/URIs](/URIs`) (yay!)
• 57+ https://bugzilla.mozilla.org/show_bug.cgi?id=1395486 - they allowed plaintext.css in 57+ as a regression from 863246 (boo!)
• 68+ https://bugzilla.mozilla.org/show_bug.cgi?id=1514655 - and now they've closed it down again (yay!)

However, the last bugzilla is css, enhancement: and I wouldn't be surprised if it got reverted again. IDK, I just want to make sure that's it's a permanent [edit: and full] solution

Adding Sponsor 44 to ESR68 tickets

Trac:
Sponsor: N/A to Sponsor44-can

9.0a6, which is about to get built, is based on ESR 68, so closing.

Trac:
Status: new to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#30657 (closed)