Odd wyswig schemes without isolation for browserspy.dk

http://browserspy.dk/screen.php causes some odd urls to appear in about:cache without domain isolation.

We should investigate why these urls are not properly isolated, and perhaps where they come from.

added component::applications/tor browser ff68-esr-will-have owner::tbb-team priority::high resolution::fixed severity::normal sponsor::44-can status::closed tbb-firefox-patch tbb-linkability type::defect labels

After loading http://browserspy.dk/screen.php, we see the following non-isolated entries (all with scheme wyciwyg):

wyciwyg://0/http://browserspy.dk/screen.php wyciwyg://1/http://browserspy.dk/screen.php wyciwyg://2/http://browserspy.dk/screen.php wyciwyg://3/https://googleads.g.doubleclick.net/pagead/ads... (URL truncated) wyciwyg://4/https://googleads.g.doubleclick.net/pagead/ads... (URL truncated)

The wyciwyg scheme is used to keep a copy of content that was modified by JS (probably to support the back button in the browser, etc.) That scheme is not supposed to be accessible by web pages, but isolation might be a good idea.

Mike, did you make the isolation changes for HTTP? The Mozilla file that needs to be patched is probably netwerk/protocol/wyciwyg/nsWyciwygChannel.cpp (see nsWyciwygChannel::OpenCacheEntry(), etc.)

Trac:
Keywords: N/A deleted, tbb-firefox-patch added

Trac:
Component: Firefox Patch Issues to Tor Browser
Owner: mikeperry to tbb-team

Nice ticket to add to Mozilla first-party isolation effort.

Trac:
Severity: N/A to Normal
Reviewer: N/A to N/A
Sponsor: N/A to N/A

Seems Mozilla forgot about it:

Key 	Data size 	Fetch count 	Last Modifed 	Expires 	Pinning
wyciwyg://3/https://trac.torproject.org/projects/tor/ticket/15569 	1016 bytes 	1 	2017-05-23 15:35:35 	No expiration time 	 

This is being used in the wild by a big ad network.

https://bugzilla.mozilla.org/show_bug.cgi?id=1489308 gets rid of the wyciwyg protocol handler.

Trac:
Keywords: N/A deleted, ff68-esr-will-have added

Adding Sponsor 44 to ESR68 tickets

Trac:
Sponsor: N/A to Sponsor44-can

9.0a6, which is about to get built, is based on ESR 68, so closing.

Trac:
Resolution: N/A to fixed
Status: new to closed

closed

mentioned in issue #22451 (moved)

moved to tpo/applications/tor-browser#9336 (closed)

mentioned in issue tpo/applications/tor-browser#22451