| commit | 84ff007519fa475d36800e979169f961fe0c072e | |
| author | Georg Koppen <gk@torproject.org> | |
| Wed, 1 Mar 2017 20:55:34 +0000 (1 20:55 +0000) | ||
| committer | Georg Koppen <gk@torproject.org> | |
| Wed, 1 Mar 2017 20:57:04 +0000 (1 20:57 +0000) | ||
| tree | a17767b99a63339c22a60a95e8c3a1611ad172f7 | treesnapshot (tar.gz zip) |
| parent | 6942113d046b9e6299ee5f3edcfebdfb8514d607 | commitdiff |
Bug 21396: Allow leaking of resource/chrome URIs
Our work around for https://bugzilla.mozilla.org/show_bug.cgi?id=863246
is filtering content requests to resource:// and chrome:// URIs in a way
that neuters this fingerprinting vector while not breaking standard Tor
Browser functionality.
However, there are extensions like Session Manager that are broken with
this strategy. Users who think having extensions like that one working
is much more important than avoiding the possible information leakage
associated with that get a preference they can toggle now.
'extensions.torbutton.resource_and_chrome_uri_fingerprinting' is by
default 'false' but setting it to 'true' effectively disables our
defense we developed in #8725 and related bugs.
Our work around for https://bugzilla.mozilla.org/show_bug.cgi?id=863246
is filtering content requests to resource:// and chrome:// URIs in a way
that neuters this fingerprinting vector while not breaking standard Tor
Browser functionality.
However, there are extensions like Session Manager that are broken with
this strategy. Users who think having extensions like that one working
is much more important than avoiding the possible information leakage
associated with that get a preference they can toggle now.
'extensions.torbutton.resource_and_chrome_uri_fingerprinting' is by
default 'false' but setting it to 'true' effectively disables our
defense we developed in #8725 and related bugs.
| src/components/content-policy.js | diffblobblamehistory | |
| src/defaults/preferences/preferences.js | diffblobblamehistory |