Opened 5 years ago

Last modified 10 months ago

#9336 new defect

Odd wyswig schemes without isolation for

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, tbb-firefox-patch
Cc: mcs, brade, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description causes some odd urls to appear in about:cache without domain isolation.

We should investigate why these urls are not properly isolated, and perhaps where they come from.

Child Tickets

Change History (5)

comment:1 Changed 5 years ago by mcs

After loading, we see the following non-isolated entries (all with scheme wyciwyg):

wyciwyg://3/ (URL truncated)
wyciwyg://4/ (URL truncated)

The wyciwyg scheme is used to keep a copy of content that was modified by JS (probably to support the back button in the browser, etc.) That scheme is not supposed to be accessible by web pages, but isolation might be a good idea.

Mike, did you make the isolation changes for HTTP? The Mozilla file that needs to be patched is probably netwerk/protocol/wyciwyg/nsWyciwygChannel.cpp (see nsWyciwygChannel::OpenCacheEntry(), etc.)

comment:2 Changed 4 years ago by erinn

Keywords: tbb-firefox-patch added

comment:3 Changed 4 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:4 Changed 17 months ago by bugzilla

Severity: Normal

Nice ticket to add to Mozilla first-party isolation effort.

comment:5 Changed 10 months ago by cypherpunks

Seems Mozilla forgot about it:

Key 	Data size 	Fetch count 	Last Modifed 	Expires 	Pinning
wyciwyg://3/ 	1016 bytes 	1 	2017-05-23 15:35:35 	No expiration time 	 
Note: See TracTickets for help on using tickets.