URL.createObjectURL() considered harmful
Blobs are a mechanism for creating temporary files that live in the browser and can optionally be assigned a random GUID that can be accessed via the blob: scheme.
Unfortunately, this has several bad consequences for TBB:
- blob: URIs are whitelisted in NoScript
- blob: URIs survive New Identity
- blob: URIs are not isolated by top-level domain
I think this is tricky to exploit to get arbitrary scripts to run, because you already need scripts enabled to create these things. They are also not great to use as a tracking vector, because the GUID you get is randomly assigned.
However, they still deeply concern me because if you want to keep track of a short list of users, you can create blob uris for them, record those GUIDS, and cycle through this list of GUIDs for every user who visits any site.
Here's an example blob URI creation script that gives you a blob uri that you can throw in the URL bar. It will then execute scripts (pop up an alert) even if you have instructed NoScript to disable scripts globally: https://people.torproject.org/~mikeperry/transient/tests/blob-uri-creation.html
You can also use the resulting URI to test and see that it survives New Identity.
This ticket probably needs several child tickets to deal with the various issues here. Or we could just simply drop support for the URI feature of the Blob APIs. It seems rather obscure and unnessary, since you can use these things as normal JS objects just fine without them being URIs.