Bug #7479
Disable FoxyProxy's proxy:// protocol handler
100%
Description
FoxyProxy adds the proxy://
protocol handler, which can be used to configure the proxy via an URI. A malicious exit node can inject some JavaScript code to visit such and URI. FoxyProxy will not do such configurations without user confirmation, but we definitely should completely disable this ill-thought “feature” any way by setting ignoreProxyScheme
to true
in config/chroot_local-includes/etc/iceweasel/profile/foxyproxy.xml
.
Note: even if a user can be tricked to accept such a re-configuration which would, e.g. disable proxying completely, our firewall would block deanonymization. However, the proxy settings could be changed to side-step our stream isolation, which isn’t good.
See http://getfoxyproxy.org/developers/proxyprotocol.html for details.
Subtasks
History
#1 Updated by anonym 2014-07-01 19:21:12
- Status changed from Confirmed to In Progress
- Priority changed from Normal to Elevated
- Target version set to Tails_1.1
- % Done changed from 0 to 50
- QA Check set to Ready for QA
- Feature Branch set to feature/7479-disable-proxy-protocol-handler
Without the fix, visiting proxy://host=foo.com&port=1234
will prompt if the user wants to change the proxy settings. With the fix, nothing happens.
Bumping to “elevated” due to the stream isolation attack.
#2 Updated by intrigeri 2014-07-01 19:34:29
- Assignee set to intrigeri
- Starter changed from Yes to No
#3 Updated by intrigeri 2014-07-01 20:17:04
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri) - % Done changed from 50 to 100
Merged!
#4 Updated by BitingBird 2014-07-02 13:14:43
- QA Check changed from Ready for QA to Pass
#5 Updated by BitingBird 2014-07-22 22:57:49
- Status changed from Fix committed to Resolved