Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2022-11-09T16:43:54Zhttps://gitlab.torproject.org/legacy/trac/-/issues/2874Block access to Components.interfaces from content script2022-11-09T16:43:54ZMike PerryBlock access to Components.interfaces from content scriptComponents.interfaces can be used to fingerprint browser user agent down to OS and minor version. This might not be a lot of data for fingerprinting (depending on how well we keep users upgraded), but it certainly is a concern for target...Components.interfaces can be used to fingerprint browser user agent down to OS and minor version. This might not be a lot of data for fingerprinting (depending on how well we keep users upgraded), but it certainly is a concern for targeting exploit payloads against a particular OS and version combo.
Here's an (outdated) PoC: http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html
Here's the Firefox bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=429070Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/2873Block Components.lookupMethod in TorBrowser2020-06-13T00:10:44ZMike PerryBlock Components.lookupMethod in TorBrowserIt appears that EMCAScript 5 added official support for hooking JS objects for protection against XSS. However Firefox seems to have left a backdoor to undo these hooks in the form of Components.lookupMethod, which is marked "unconfigura...It appears that EMCAScript 5 added official support for hooking JS objects for protection against XSS. However Firefox seems to have left a backdoor to undo these hooks in the form of Components.lookupMethod, which is marked "unconfigurable" (which means it cannot be hooked).
We should remove this bit, and/or neuter this API in TorBrowser. This should allow us to safely write JS hooks to deal with fingerprinting issues in the window object and the DOM.Mike PerryMike Perry