Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #15502
Closed (moved) (moved)
Open
Created Mar 28, 2015 by Mike Perry@mikeperry

URL.createObjectURL() considered harmful

Blobs are a mechanism for creating temporary files that live in the browser and can optionally be assigned a random GUID that can be accessed via the blob: scheme.

Unfortunately, this has several bad consequences for TBB:

  1. blob: URIs are whitelisted in NoScript
  2. blob: URIs survive New Identity
  3. blob: URIs are not isolated by top-level domain

I think this is tricky to exploit to get arbitrary scripts to run, because you already need scripts enabled to create these things. They are also not great to use as a tracking vector, because the GUID you get is randomly assigned.

However, they still deeply concern me because if you want to keep track of a short list of users, you can create blob uris for them, record those GUIDS, and cycle through this list of GUIDs for every user who visits any site.

Here's an example blob URI creation script that gives you a blob uri that you can throw in the URL bar. It will then execute scripts (pop up an alert) even if you have instructed NoScript to disable scripts globally: https://people.torproject.org/~mikeperry/transient/tests/blob-uri-creation.html

You can also use the resulting URI to test and see that it survives New Identity.

This ticket probably needs several child tickets to deal with the various issues here. Or we could just simply drop support for the URI feature of the Blob APIs. It seems rather obscure and unnessary, since you can use these things as normal JS objects just fine without them being URIs.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking