Skip to content
GitLab
Closed
Created by Georg Koppen@gkDeveloper

Contents of FTP requests are cached and not isolated to the URL bar origin

Contents of FTP requests can get cached but are currently not isolated to the URL bar origin which contradicts the goal of section 3.5.2 of the Tor Browser design documentation. The relevant code is here: https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/ftp/nsFtpConnectionThread.cpp

There are two things to note:

  1. This caching is working a bit differently than the familiar HTTP caching. E.g. are there no E-Tags, no headers involved which makes a scalable exploitation much harder (that's the only reason why I think the prio is normal) IMO.

  2. Furthermore, only directory listings can get cached, not "normal" files like CSS or JS files loaded via FTP.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information