Opened 4 weeks ago

#31753 new defect

Web developer network tab breaks first-party isolation in some cases II

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There are rare cases where the first-part isolation breaks if the Web developer Network tab is open. This got first reported on our blog: ​https://blog.torproject.org/blog/tor-browser-65a5-released#comment-224102

Steps to reproduce (works in the alpha series on Windows at least):

1) Start a fresh Tor Browser and set the Torbutton log level to "3"
2) Open the Network tab in the Web developer console (Ctrl + Shift + Q)
3) Go to ​https://torproject.org
4) Reload the page with the arrow in the URL bar

Result:

Torbutton INFO: tor SOCKS: https://www.torproject.org/static/css/bootstrap.css.map via--unknown--:878a267349f5b487247d0a0175ae27f2

It is actually only the request for one resource that is affected. And having the Network tab open is crucial for reproducing the bug.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.