Odd wyswig schemes without isolation for browserspy.dk
http://browserspy.dk/screen.php causes some odd urls to appear in about:cache without domain isolation.
We should investigate why these urls are not properly isolated, and perhaps where they come from.
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Mike Perry added component::applications/tor browser in Legacy / Trac ff68-esr-will-have in Legacy / Trac owner::tbb-team in Legacy / Trac priority::high in Legacy / Trac resolution::fixed in Legacy / Trac severity::normal in Legacy / Trac sponsor::44-can in Legacy / Trac status::closed in Legacy / Trac tbb-firefox-patch in Legacy / Trac tbb-linkability in Legacy / Trac type::defect in Legacy / Trac labels
added component::applications/tor browser in Legacy / Trac ff68-esr-will-have in Legacy / Trac owner::tbb-team in Legacy / Trac priority::high in Legacy / Trac resolution::fixed in Legacy / Trac severity::normal in Legacy / Trac sponsor::44-can in Legacy / Trac status::closed in Legacy / Trac tbb-firefox-patch in Legacy / Trac tbb-linkability in Legacy / Trac type::defect in Legacy / Trac labels
After loading http://browserspy.dk/screen.php, we see the following non-isolated entries (all with scheme wyciwyg):
wyciwyg://0/http://browserspy.dk/screen.php wyciwyg://1/http://browserspy.dk/screen.php wyciwyg://2/http://browserspy.dk/screen.php wyciwyg://3/https://googleads.g.doubleclick.net/pagead/ads... (URL truncated) wyciwyg://4/https://googleads.g.doubleclick.net/pagead/ads... (URL truncated)
The wyciwyg scheme is used to keep a copy of content that was modified by JS (probably to support the back button in the browser, etc.) That scheme is not supposed to be accessible by web pages, but isolation might be a good idea.
Mike, did you make the isolation changes for HTTP? The Mozilla file that needs to be patched is probably netwerk/protocol/wyciwyg/nsWyciwygChannel.cpp (see nsWyciwygChannel::OpenCacheEntry(), etc.)
Trac:
Keywords: N/A deleted, tbb-firefox-patch addedTrac:
Component: Firefox Patch Issues to Tor Browser
Owner: mikeperry to tbb-teamSeems Mozilla forgot about it:
Key Data size Fetch count Last Modifed Expires Pinning wyciwyg://3/https://trac.torproject.org/projects/tor/ticket/15569 1016 bytes 1 2017-05-23 15:35:35 No expiration time
This is being used in the wild by a big ad network.
- Developer
https://bugzilla.mozilla.org/show_bug.cgi?id=1489308 gets rid of the wyciwyg protocol handler.
Trac:
Keywords: N/A deleted, ff68-esr-will-have added Adding Sponsor 44 to ESR68 tickets
Trac:
Sponsor: N/A to Sponsor44-can- Developer
9.0a6, which is about to get built, is based on ESR 68, so closing.
Trac:
Resolution: N/A to fixed
Status: new to closed - Trac closed
closed
- Georg Koppen mentioned in issue legacy/trac#22451 (moved)
mentioned in issue legacy/trac#22451 (moved)
- Trac moved from legacy/trac#9336 (moved)
moved from legacy/trac#9336 (moved)
- Trac added Linkability label and removed 1 deleted label
added Linkability label and removed 1 deleted label