Re: [Tails-dev] Testing image cache and DOM storage isolatio…

Poista viesti

Vastaa
Lähettäjä: Mike Perry
Päiväys:  
Vastaanottaja: intrigeri
Kopio: tails-dev
Aihe: Re: [Tails-dev] Testing image cache and DOM storage isolation
Thus spake intrigeri (intrigeri@???):

> I'm now taking time to apply to the Tails' web browser the last two
> meaningful Torbrowser patches we were not using yet:
>
> - 0026-Isolate-DOM-storage-to-first-party-URI.patch
> - 0024-Isolate-the-Image-Cache-per-url-bar-domain.patch
>
> I'm now trying to verify that applying these patches actually makes
> a difference. How do you do it?


First, note that I just fixed a bug in 0024 that caused an intermittent
crash on New Identity and on exit:
https://trac.torproject.org/projects/tor/ticket/8628

So you want to get the latest patch from origin/maint-2.4.

There are also some other patch updates that I've made since the last
TBB release, but I'm still working on them.

> about:cache shows the same regardless of whether the image cache patch
> is applied or not; this is explained, I guess, by the Torbrowser
> design doc that reads "Additionally, because the image cache is
> a separate entity from the content cache, we had to patch Firefox to
> also isolate this cache per url bar domain."


According to my notes in the original bug
(https://trac.torproject.org/projects/tor/ticket/5742), the patch should
cause additional domain= entries for each url bar to appear in
about:cache. Otherwise I think only one entry appears for a given image,
regardless of url bar domains used to load it... However, the patch was
first written for Firefox 10. Things may have changed wrt about:cache
display since then.

You can manually verify that the Google logo image actually loads over the
network for all three of these pages:
https://encrypted.google.com/
https://anonym-surfen.de/ImageTest.html
https://anonymous-proxy-servers.net/en/ImageTest.html

If the patch is not working/not applied, the Google image will come from
the cache for the second two, and the web developer console should say
"304 not modified" in the "Net" logs.


For DOM storage, you can try hosting this container page on an
additional domain, and verify that the iframe can't retrieve any values
set from the original container page from trial.pearlcrescent.com:
http://trial.pearlcrescent.com/tor/storageContainer.html

> Ideally, I'd like to add this to our automated test suite, but at
> least a quick'n'dirty manual check would be much better than nothing
> before we merge this branch.


What do you use for automated testing of Firefox? I see some pages
mentioning something called "Cucumber?"

Are you able to inspect the browser state from that framework?

--
Mike Perry