Opened 4 years ago

Last modified 7 months ago

#9336 new defect

Odd wyswig schemes without isolation for browserspy.dk

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, tbb-firefox-patch
Cc: mcs, brade, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

http://browserspy.dk/screen.php causes some odd urls to appear in about:cache without domain isolation.

We should investigate why these urls are not properly isolated, and perhaps where they come from.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by mcs

After loading http://browserspy.dk/screen.php, we see the following non-isolated entries (all with scheme wyciwyg):

wyciwyg://0/http://browserspy.dk/screen.php
wyciwyg://1/http://browserspy.dk/screen.php
wyciwyg://2/http://browserspy.dk/screen.php
wyciwyg://3/https://googleads.g.doubleclick.net/pagead/ads... (URL truncated)
wyciwyg://4/https://googleads.g.doubleclick.net/pagead/ads... (URL truncated)

The wyciwyg scheme is used to keep a copy of content that was modified by JS (probably to support the back button in the browser, etc.) That scheme is not supposed to be accessible by web pages, but isolation might be a good idea.

Mike, did you make the isolation changes for HTTP? The Mozilla file that needs to be patched is probably netwerk/protocol/wyciwyg/nsWyciwygChannel.cpp (see nsWyciwygChannel::OpenCacheEntry(), etc.)

comment:2 Changed 3 years ago by erinn

Keywords: tbb-firefox-patch added

comment:3 Changed 3 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:4 Changed 14 months ago by bugzilla

Severity: Normal

Nice ticket to add to Mozilla first-party isolation effort.

comment:5 Changed 7 months ago by cypherpunks

Seems Mozilla forgot about it:

Key 	Data size 	Fetch count 	Last Modifed 	Expires 	Pinning
wyciwyg://3/https://trac.torproject.org/projects/tor/ticket/15569 	1016 bytes 	1 	2017-05-23 15:35:35 	No expiration time 	 
Note: See TracTickets for help on using tickets.