Project

General

Profile

Bug #7479

Disable FoxyProxy's proxy:// protocol handler

Added by anonym about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
07/01/2014
Due date:
% Done:

100%

Feature Branch:
feature/7479-disable-proxy-protocol-handler
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:
Browser

Description

FoxyProxy adds the proxy:// protocol handler, which can be used to configure the proxy via an URI. A malicious exit node can inject some JavaScript code to visit such and URI. FoxyProxy will not do such configurations without user confirmation, but we definitely should completely disable this ill-thought "feature" any way by setting ignoreProxyScheme to true in config/chroot_local-includes/etc/iceweasel/profile/foxyproxy.xml.

Note: even if a user can be tricked to accept such a re-configuration which would, e.g. disable proxying completely, our firewall would block deanonymization. However, the proxy settings could be changed to side-step our stream isolation, which isn't good.

See http://getfoxyproxy.org/developers/proxyprotocol.html for details.

Associated revisions

Revision 5a267138 (diff)
Added by Tails developers about 5 years ago

Disable FoxyProxy's proxy:// protocol handler. (Closes: #7479)

FoxyProxy adds the proxy:// protocol handler, which can be used to
configure the proxy via an URI. A malicious webpage can include (or a
malicious exit node can inject) some JavaScript code to visit such an
URI and disable or otherwise change Iceweasel's proxy settings.

While using this to disable proxying will be dealt with safely by our
firewall, this could be used to defeat stream isolation, although the
use must be tricked into accepting the new proxy settings.

History

#1 Updated by anonym about 5 years ago

  • Status changed from Confirmed to In Progress
  • Priority changed from Normal to Elevated
  • Target version set to Tails_1.1
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA
  • Feature Branch set to feature/7479-disable-proxy-protocol-handler

Without the fix, visiting proxy://host=foo.com&port=1234 will prompt if the user wants to change the proxy settings. With the fix, nothing happens.

Bumping to "elevated" due to the stream isolation attack.

#2 Updated by intrigeri about 5 years ago

  • Assignee set to intrigeri
  • Starter changed from Yes to No

#3 Updated by intrigeri about 5 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 50 to 100

Merged!

#4 Updated by BitingBird about 5 years ago

  • QA Check changed from Ready for QA to Pass

#5 Updated by BitingBird about 5 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF