Opened 3 years ago

Last modified 8 weeks ago

#16931 new defect

Sanitize the add-on blocklist update URL

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: basvd, yawning, skeletonchimp Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The default value of the extensions.blocklist.url preference is

https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

and sends detailed information about the operating system to Mozilla.

However, Mozilla's list of blocked add-ons and certificates is not OS specific, and updates just need

https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/

so that should be the default value of extensions.blocklist.url in Tor Browser.

Child Tickets

Change History (7)

comment:1 Changed 19 months ago by gk

Severity: Normal

FWIW: Mozilla is moving to Kinto-based systems that allow a more fine-grained blocklist mechanism: https://wiki.mozilla.org/Firefox/Kinto

comment:2 Changed 16 months ago by gk

Cc: basvd yawning added

#22966 is a duplicate.

comment:3 Changed 16 months ago by gk

We could think about disabling that feature. One thing that makes me a bit reluctant to choose that path over the sanitizing approach is that we allow extensions to be installed in Tor Browser. Thus, users having custom extensions installed would benefit from a fast way to get those blocked in case Mozilla detects critical issues with them.

comment:4 Changed 2 months ago by gk

Cc: skeletonchimp added

comment:5 Changed 2 months ago by skeletonchimp

I strongly suggest disabling this feature and hopefully including the fix in the next version of TBB.

I believe the Severity and Priority of this ticket should be increased to the highest value!

Meanwhile, is the TBB user to manually blank the Value of extensions.blocklist.url until this is fixed? Would the user need to include a modification of extensions.blocklist.enabled to false, or would this break too much?

A user posted about this here: https://blog.torproject.org/comment/277375#comment-277375

Oddly enough, I had noticed this issue when I was reviewing 'about:cache?device=memory' in Tor Browser 8.0 and noticed a strange link, then found the user's post. Thanks, gk, for noticing my post in #3555, which I found via #6734.

comment:6 Changed 2 months ago by traumschule

i don't like that either

comment:7 Changed 8 weeks ago by traumschule

TB users do not install extensions so we do not need this and can set extensions.blocklist.enabled to false.

However the info on https://wiki.mozilla.org/Extension_Blocklisting#Discussion_.26_Implications
may be outdated:

N/A - no information will be sent to any site due to this project except possibly application ID as we do for application and extension update checks.

extensions.blocklist.url
https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

Note: See TracTickets for help on using tickets.