about:tor should not have chrome privileges
We should ensure that about:tor runs with only content privileges.
Changing the getURIFlags() function in src/components/aboutTor.js to include Ci.nsIAboutModule.URI_SAFE_FOR_UNTRUSTED_CONTENT
in the value returned should do the trick, but other things will need to be fixed as a result of that change.