Skip to content
Snippets Groups Projects

Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop

Merged Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop
ma1/tor-browser:bug_41518 into tor-browser-102.5.0esr-12.5-1
All threads resolved!
Merged ma1 requested to merge ma1/tor-browser:bug_41518 into tor-browser-102.5.0esr-12.5-1
All threads resolved!

Try to keep a good level of protection against leaks caused by accidental link drags, while not hampering usability (e.g. bookmarks reordering or intentional navigation gestures):

  1. Keep the torbutton!106 (merged) fix against text/plain and text/html fallback flavors escaping the filter
  2. Limit the protection to actual links (i.e. anchor elements or other DOM elements which cause a text/x-moz-url data flavor to be added to the transferable object) as it was originally meant
  3. Drop any attempt to guess "selected text containing URLs"
  4. Explicitly exempt bookmarks
  5. Allow as much as possible dragging links onto the Tor Browser's own UI, for navigation and bookmarking purposes

Part of #41518, fixes #41520 (closed).

Edited by ma1

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • henry
  • henry
  • henry
  • henry
  • henry
  • henry
  • henry
    henry @henry
    Maintainer

    Yes, removing hasURLish is a good idea.

    The "text/x-moz-text-internal" makes up for the most of the chrome-behaviour that would otherwise be blocked, like dragging links into the URL bar. And we can always use this to hack around other chrome behaviour we've accidentally broken. Unfortunately, it also seems to block dragging within a page.

    The main consistent issue is the current code calls getData, clearData and setData, rather than the equivalent "moz" that accept the list index. This means that we're only editing the first item in the data transfer.

  • ma1 added 1 commit

    added 1 commit

    • 64d8a413 - Bug 41518: Drag&Drop protection improvements

    Compare with previous version

  • ma1 added 1 commit

    added 1 commit

    • 690e4983 - Bug 41518: Drag&Drop protection improvements

    Compare with previous version

  • henry
  • henry
  • henry
  • henry
  • henry
  • ma1 added 1 commit

    added 1 commit

    • 2e46b6a9 - Bug 41518: Drag&Drop protection improvements

    Compare with previous version

  • ma1 resolved all threads

    resolved all threads

  • ma1 added 1 commit

    added 1 commit

    • c2d33abf - Bug 41518: Drag&Drop protection improvements

    Compare with previous version

  • ma1 marked this merge request as draft

    marked this merge request as draft

  • henry
  • henry
  • ma1 added 2 commits

    added 2 commits

    • 4e9f1b9c - Bug 41520: (Regression) Rearranging bookmarks / place items by drag & drop doesn't work anymore
    • 368f5630 - fixup! Bug 41520: (Regression) Rearranging bookmarks / place items by drag &...

    Compare with previous version

  • ma1 marked this merge request as ready

    marked this merge request as ready

  • ma1 changed title from Draft: Bug 41518: Drag&Drop protection improvements to Bug 41520: (Regression) Rearranging bookmarks / place items by drag & drop doesn't work anymore

    changed title from Draft: Bug 41518: Drag&Drop protection improvements to Bug 41520: (Regression) Rearranging bookmarks / place items by drag & drop doesn't work anymore

  • ma1 resolved all threads

    resolved all threads

  • ma1 resolved all threads

    resolved all threads

    • henry
      henry @henry
      Maintainer
      Resolved by ma1

      @ma1 since we have more time to land this, did you want to try with the approach where we use one persistent key to encrypt the urls for transfer? You said you wanted to do that originally but didn't have time. Or are you ok with what we already landed in stable?

    • henry
      henry @henry
      Maintainer
      Resolved by ma1

      Looks good. @ma1 I'm assuming this commit is temporary until "drag and drop protection" is split out from "Bug 10760: Integrate TorButton to TorBrowser core" into its own commit, and this would be merged into it?

      Or do you want to do what was suggested in !481 (4e9f1b9c, comment 2862455) now?

  • henry approved this merge request

    approved this merge request

  • ma1 added 2 commits

    added 2 commits

    • 3252f518 - fixup! Bug 10760: Integrate TorButton to TorBrowser core
    • 45909fc0 - Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop

    Compare with previous version

  • ma1 marked this merge request as draft from ma1/tor-browser@3252f518

    marked this merge request as draft from ma1/tor-browser@3252f518

  • ma1 marked this merge request as ready

    marked this merge request as ready

  • ma1 changed title from Draft: Bug 41520: (Regression) Rearranging bookmarks / place items by drag & drop doesn't work anymore to Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop

    changed title from Draft: Bug 41520: (Regression) Rearranging bookmarks / place items by drag & drop doesn't work anymore to Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop

  • ma1 resolved all threads

    resolved all threads

  • Pier Angelo Vendrame resolved all threads

    resolved all threads

  • Pier Angelo Vendrame added 11 commits

    added 11 commits

    • 45909fc0...fdfd2b97 - 9 commits from branch tpo/applications:tor-browser-102.5.0esr-12.5-1
    • d84fac57 - fixup! Bug 10760: Integrate TorButton to TorBrowser core
    • a1ee91a6 - Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop

    Compare with previous version

  • Pier Angelo Vendrame marked this merge request as draft from ma1/tor-browser@d84fac57

    marked this merge request as draft from ma1/tor-browser@d84fac57

  • Pier Angelo Vendrame marked this merge request as ready

    marked this merge request as ready

  • Pier Angelo Vendrame merged

    merged

    • Please register or sign in to reply