Opened 8 years ago

Closed 8 years ago

#3739 closed defect (fixed)

SafeCache policy likely fails for https->http CORS (and reverse)

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: MikePerryIteration20110828
Cc: g.koppen@… Actual Points: 2
Parent ID: Points: 2
Reviewer: Sponsor:

Description

Georg noticed several edge cases for the SafeCache policy in #3665. I fixed the ones he found there, but I suspect more may remain, especially for mixed-content pages with CORS requests

We need to first test this by standing up http://arunranga.com/examples/access-control/simpleXSInvocation.html or similar on a mixed-mode server.

Fixing it will be extra fun, I suspect...

Child Tickets

Change History (4)

comment:1 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110828 added
Milestone: TorBrowserBundle 2.2.x-stable
Points: 2

Either I'm going to get lucky and this will be fixable with another simple hack, or it will be real real hard...

comment:2 Changed 8 years ago by gk

I have not had time to comment on ticket 3665 but I would not recommend you to use the Referer as a fallback if using notificationCallbacks is futile. There are scenarios where that does not help either (I encountered one during my tests of our preliminary defense against HTTP Auth tracking that uses as well notificationCallbacks to get the associated window of a request/response and if none is available (or getting the window out of it failed) I tried to get the Referer. I got one but that did not trigger the separation logic...). Rather, I would suggest using getOriginatingURI() available via nsICookiePermission and implemented by @nozilla.org/cookie/permission;1. That solved the problems I had and will probably not affect https -> http transitions. Maybe that's the silver bullet we are looking for here. Or it may open new corner cases...

comment:3 Changed 8 years ago by mikeperry

Ok, I just tested getOriginatingURI and it does seem to work in the http CORS case.

However, it still misses some edge cases (such as favicons, safebrowsing, and other browser-sourced requests), for which it throws an exception of NS_ERROR_ILLEGAL_VALUE.

I will see if I can set up an https test case for CORS.

comment:4 Changed 8 years ago by mikeperry

Actual Points: 2
Resolution: fixed
Status: newclosed

Ok, it appears to find the parent URL if I just drop in the html from http://arunranga.com/examples/access-control/simpleXSInvocation.html onto another domain that supports https. The request itself fails due to arunner.net not liking my origin header, but I believe that is irrelevant.

I think this one is fixed. Thanks Georg!

Note: See TracTickets for help on using tickets.