about:tor should not have chrome privileges
We should ensure that about:tor runs with only content privileges.
Changing the getURIFlags() function in src/components/aboutTor.js to include Ci.nsIAboutModule.URI_SAFE_FOR_UNTRUSTED_CONTENT in the value returned should do the trick, but other things will need to be fixed as a result of that change.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information