Opened 3 years ago

Last modified 14 months ago

#16931 new defect

Sanitize the add-on blocklist update URL

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: basvd, yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The default value of the extensions.blocklist.url preference is

and sends detailed information about the operating system to Mozilla.

However, Mozilla's list of blocked add-ons and certificates is not OS specific, and updates just need

so that should be the default value of extensions.blocklist.url in Tor Browser.

Child Tickets

Change History (3)

comment:1 Changed 17 months ago by gk

Severity: Normal

FWIW: Mozilla is moving to Kinto-based systems that allow a more fine-grained blocklist mechanism:

comment:2 Changed 14 months ago by gk

Cc: basvd yawning added

#22966 is a duplicate.

comment:3 Changed 14 months ago by gk

We could think about disabling that feature. One thing that makes me a bit reluctant to choose that path over the sanitizing approach is that we allow extensions to be installed in Tor Browser. Thus, users having custom extensions installed would benefit from a fast way to get those blocked in case Mozilla detects critical issues with them.

Note: See TracTickets for help on using tickets.