Opened 7 years ago

Last modified 4 months ago

#8213 new defect

spoof history.length - browser.sessionhistory.max_entries

Reported by: proper Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, tbb-torbutton
Cc: pf.team Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

ip-check.info demonstrated, history.length can be read.

They recommend:

The number of visited pages should be reset to 2 whenever you change to a new domain.

Open about:config and set browser.sessionhistory.max_entries to 2.

What about doing this with TorButton?

Child Tickets

Change History (7)

comment:1 Changed 7 years ago by gk

Cc: g.koppen@… added

Setting "browser.sessionhistory.max_entries" to "2" is not worth the usability issues, I think (wearing a user hat). There should be a smarter approach.

comment:2 Changed 7 years ago by mikeperry

Keywords: tbb-linkability added
Priority: normalminor

At best this is a minor cross-origin linkability issue.

comment:3 Changed 6 years ago by erinn

Component: TorBrowserButtonTor Browser
Keywords: tbb-torbutton added
Owner: changed from mikeperry to tbb-team

comment:4 Changed 2 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:5 Changed 6 months ago by Thorin

@gk

FWIW, browser.sessionhistory.max_entries has been broken since FF61, and I will probably never get fixed - see https://bugzilla.mozilla.org/show_bug.cgi?id=1511813

As for cross-origin linkability / privacy concerns: there shouldn't be any: see

I think we can close this.

Edit: Note: there may be other underlying issues with History API (which the pref has nothing to do with) such as history.pushState, where an attcker can find it useful to hide reflected XSS in the URL by dynamically changing the path to something less suspicious - e.g. http://samuli.hakoniemi.net/tag/history-pushstate/ - but that's out of scope for this ticket

Last edited 6 months ago by Thorin (previous) (diff)

comment:6 Changed 5 months ago by gk

Cc: g.koppen@… removed

We could think about keeping this ticket for further History API investigations and there is no need for pages knowing my session history length, really.

comment:7 Changed 4 months ago by gk

Cc: pf.team added

#32983 is a duplicate.

Note: See TracTickets for help on using tickets.