[tbb-commits] [Git][tpo/applications/tor-browser][tor-browser-128.7.0esr-14.5-1] 2 commits: BB 29745: Limit remote access to content accessible resources

[ma1 (@ma1) via tbb-commits]

ma1 pushed to branch tor-browser-128.7.0esr-14.5-1 at The Tor Project / 
Applications / Tor Browser


Commits:
d2be2499 by Henry Wilkes at 2025-02-03T11:53:29+00:00
BB 29745: Limit remote access to content accessible resources

- - - - -
7e470c8c by Henry Wilkes at 2025-02-03T11:53:30+00:00
fixup! BB 42716: Disable unwanted about: pages

TB 43308: Remove about:logo which exposes a branding asset.

- - - - -


2 changed files:

- caps/nsScriptSecurityManager.cpp
- docshell/base/nsAboutRedirector.cpp


Changes:

=====================================
caps/nsScriptSecurityManager.cpp
=====================================
@@ -1044,6 +1044,48 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
         }
       }
 
+      // Only allow some "about:" pages to have access to contentaccessible
+      // "chrome://branding/" assets. Otherwise web pages could easily and
+      // consistently detect the differences between channels when their
+      // branding differs. See tor-browser#43308 and tor-browser#42319.
+      // NOTE: The same assets under the alternative URI
+      // "resource:///chrome/browser/content/branding/" should already be
+      // inaccessible to web content, so we only add a condition for the chrome
+      // path.
+      if (targetScheme.EqualsLiteral("chrome")) {
+        nsAutoCString targetHost;
+        rv = aTargetBaseURI->GetHost(targetHost);
+        NS_ENSURE_SUCCESS(rv, rv);
+        if (targetHost.EqualsLiteral("branding")) {
+          // Disallow any Principal whose scheme is not "about", or is a
+          // contentaccessible "about" URI ("about:blank" or "about:srcdoc").
+          // NOTE: "about:blank" and "about:srcdoc" would be unexpected here
+          // since such a document spawned by a web document should inherit the
+          // same Principal URI. I.e. they would be "http:" or "https:" 
schemes.
+          // But we add this condition for extra assurances.
+          // NOTE: Documents with null Principals, like "about:blank" typed by
+          // the user, would also be excluded since the Principal URI would be
+          // "moz-nullprincipal:".
+          if (!aSourceBaseURI->SchemeIs("about") ||
+              NS_IsContentAccessibleAboutURI(aSourceBaseURI)) {
+            return NS_ERROR_DOM_BAD_URI;
+          }
+          // Also exclude "about:reader" from accessing branding assets. I.e. 
if
+          // a web page includes `<img src="chrome://branding/..." />` we do 
not
+          // want it to render within "about:reader" either.
+          // Though it is unknown whether the information within "about:reader"
+          // would be exploitable by a web page, we also want to exclude
+          // "about:reader" for consistency: if it does not display in the
+          // original web page, it should not display in "about:reader" either.
+          nsAutoCString sourcePath;
+          rv = aSourceBaseURI->GetFilePath(sourcePath);
+          NS_ENSURE_SUCCESS(rv, rv);
+          if (sourcePath.EqualsLiteral("reader")) {
+            return NS_ERROR_DOM_BAD_URI;
+          }
+        }
+      }
+
       if (targetScheme.EqualsLiteral("resource")) {
         if (StaticPrefs::security_all_resource_uri_content_accessible()) {
           return NS_OK;


=====================================
docshell/base/nsAboutRedirector.cpp
=====================================
@@ -123,10 +123,9 @@ static const RedirEntry kRedirMap[] = {
          nsIAboutModule::IS_SECURE_CHROME_UI},
     {"logging", "chrome://global/content/aboutLogging.html",
      nsIAboutModule::ALLOW_SCRIPT},
-    {"logo", "chrome://branding/content/about.png",
-     nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-         // Linkable for testing reasons.
-         nsIAboutModule::MAKE_LINKABLE},
+    // Do not allow web pages to link to about:logo, which varies between
+    // channels. See tor-browser#43308.
+    // Moreover, it exposes firefox-specific branding.
     {"memory", "chrome://global/content/aboutMemory.xhtml",
      nsIAboutModule::ALLOW_SCRIPT},
     {"certificate", "chrome://global/content/certviewer/certviewer.html",



View it on GitLab: 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/f0b1a96ddc83c98bb233f86ac61d73df3c237736...7e470c8c4537077d113dc3346ae41d129a9e21b6

-- 
View it on GitLab: 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/f0b1a96ddc83c98bb233f86ac61d73df3c237736...7e470c8c4537077d113dc3346ae41d129a9e21b6
You're receiving this email because of your account on gitlab.torproject.org.



_______________________________________________
tbb-commits mailing list -- tbb-commits@lists.torproject.org
To unsubscribe send an email to tbb-commits-le...@lists.torproject.org