Opened 7 months ago

Closed 4 months ago

Last modified 3 days ago

#32414 closed defect (fixed)

window.external.AddSearchProvider request goes through catch-all-circuit

Reported by: acat Owned by: acat
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, TorBrowserTeam202001R
Cc: tbb-team Actual Points:
Parent ID: Points:
Reviewer: pospeselr Sponsor:

Description

Calling external.AddSearchProvider(someURL) does a request that does not follow FPI and goes through the catch-all circuit.

Child Tickets

Change History (8)

comment:1 Changed 7 months ago by acat

Keywords: TorBrowserTeam201912 added

This allows a website to find out the catch-all circuit IP, so I assume it's serious enough to set it for next month (not aware this is currently possible in any other way).

comment:2 Changed 7 months ago by pili

Cc: tbb-team added
Owner: changed from tbb-team to acat
Status: newassigned

Assigning more tickets to acat for the next few months

comment:3 Changed 6 months ago by pili

Keywords: TorBrowserTeam202001 added; TorBrowserTeam201912 removed

acat is afk in December

comment:4 Changed 5 months ago by acat

Keywords: TorBrowserTeam202001R added; TorBrowserTeam202001 removed
Status: assignedneeds_review

Patch for review in https://github.com/acatarineu/tor-browser/commit/32414.

The requests that were not respecting FPI were the .xml and icons fetches when Services.search.addEngine is used to add an engine. From web content, this can be via the (deprecated) API external.AddSearchProvider or via the page action that is added when a page has a <link rel="search" type="application/opensearchdescription+xml"... tag.

comment:5 Changed 4 months ago by pili

Reviewer: pospeselr

comment:6 Changed 4 months ago by pospeselr

These changes look good to me.

comment:7 Changed 4 months ago by boklm

Keywords: tbb-backport added
Resolution: fixed
Status: needs_reviewclosed

I cherry-picket the patch to branch tor-browser-68.4.1esr-9.5-1 as commit 2197dad64e5c3752b1daeab0c676fda07880144c.

comment:8 Changed 3 days ago by gk

Keywords: tbb-backport removed

No backport for those tickets/fixes. They will emerge with 9.5.

Note: See TracTickets for help on using tickets.