Steps: 1. Turn on TP with the mozstd-track-digest256 list (default) 2. Open devtool network tab 3. Visit cnn.com Expected: Nothing gets loaded from outbrain.com because it's on the blacklist. Actual: These resources are loaded: http://vrt.outbrain.com/?idsite=6&url=http%3A%2F%2Fwww.cnn.com&seen_url=http%3A%2F%2Fwww.cnn.com%2F&t=Breaking%20News%2C%20Daily%20News%20and%20Videos%20-%20CNN.com&c=1445309718541GFJ1POzQnT1UxpHepDrBR1W3HBqcTu76&ypos=-1&zone=&debug={%22frame%22:false,%22loadTime%22:3,%22timestamp%22:1445309730882,%22transport%22:%22cors%22}&refurl=http%3A%2F%2Fwww.cnn.com&norm_refurl=http%3A%2F%2Fwww.cnn.com&content_type=text/html&v=41 http://vrp.outbrain.com/?transport=jsonp&idsite=6&url=http%3A%2F%2Fwww.cnn.com&content_type=text/html&callback=_vrq.jsonp.callbackFn

I can confirm that we aren't blocking URLs that are loaded as a result of an XHR. It is very possible that this page does this, though not 100% sure.

This fixes the leak both on e10s and non-e10s. There is a remaining issue for which I intend to file a follow-up bug if that's OK with you. There's something weird going on with e10s and XHR/Fetch and that prevents the security UI (i.e. the shield) from appearing when we block loads. Tanvi and I are investigating because it seems to also affect the mixed content blocker to some extent.

Comment on attachment 8692644 [details] [diff] [review] Tests Review of attachment 8692644 [details] [diff] [review]: ----------------------------------------------------------------- ::: toolkit/components/url-classifier/tests/mochitest/allowlistAnnotatedFrame.html @@ +28,5 @@ > + fetchFinished = true; > + } > + if (!onloadCalled || !xhrFinished || !fetchFinished) { > + return; // not every test has run yet > + } Maybe split this function in two? One which does the work of the old one and another that handles the side effects/determines whether all steps have finished that you added now. Can also make the name a bit clearer then. @@ +102,5 @@ > +oReq.addEventListener("load", reqListener); > +oReq.addEventListener("error", transferFailed); > +oReq.addEventListener("abort", transferCanceled); > +oReq.open("GET", "http://tracking.example.com/tests/toolkit/components/url-classifier/tests/mochitest/evil.js"); > + oReq.send(); nit: looks like spurious whitespace

https://hg.mozilla.org/integration/mozilla-inbound/rev/709a8aec7c79 https://hg.mozilla.org/integration/mozilla-inbound/rev/2cdef2a8ed53 https://hg.mozilla.org/integration/mozilla-inbound/rev/eadb3ad94e0f

https://hg.mozilla.org/mozilla-central/rev/709a8aec7c79 https://hg.mozilla.org/mozilla-central/rev/2cdef2a8ed53 https://hg.mozilla.org/mozilla-central/rev/eadb3ad94e0f

I don't see how this can be a "vulnerability" (as implied by a sec-low rating) since we need to keep people safe with or without Tracking protection. We don't even enable it by default! It's simply a bug: TP not working as well as we'd like.