Opened 5 years ago

Last modified 12 months ago

#16931 new defect

Sanitize the add-on blocklist update URL

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: basvd, yawning, skeletonchimp Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The default value of the extensions.blocklist.url preference is

and sends detailed information about the operating system to Mozilla.

However, Mozilla's list of blocked add-ons and certificates is not OS specific, and updates just need

so that should be the default value of extensions.blocklist.url in Tor Browser.

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by gk

Severity: Normal

FWIW: Mozilla is moving to Kinto-based systems that allow a more fine-grained blocklist mechanism:

comment:2 Changed 3 years ago by gk

Cc: basvd yawning added

#22966 is a duplicate.

comment:3 Changed 3 years ago by gk

We could think about disabling that feature. One thing that makes me a bit reluctant to choose that path over the sanitizing approach is that we allow extensions to be installed in Tor Browser. Thus, users having custom extensions installed would benefit from a fast way to get those blocked in case Mozilla detects critical issues with them.

comment:4 Changed 2 years ago by gk

Cc: skeletonchimp added

comment:5 Changed 2 years ago by skeletonchimp

I strongly suggest disabling this feature and hopefully including the fix in the next version of TBB.

I believe the Severity and Priority of this ticket should be increased to the highest value!

Meanwhile, is the TBB user to manually blank the Value of extensions.blocklist.url until this is fixed? Would the user need to include a modification of extensions.blocklist.enabled to false, or would this break too much?

A user posted about this here:

Oddly enough, I had noticed this issue when I was reviewing 'about:cache?device=memory' in Tor Browser 8.0 and noticed a strange link, then found the user's post. Thanks, gk, for noticing my post in #3555, which I found via #6734.

comment:6 Changed 2 years ago by traumschule

i don't like that either

comment:7 Changed 2 years ago by traumschule

TB users do not install extensions so we do not need this and can set extensions.blocklist.enabled to false.

However the info on
may be outdated:

N/A - no information will be sent to any site due to this project except possibly application ID as we do for application and extension update checks.


comment:8 Changed 12 months ago by acat

One problem of setting extensions.blocklist.enabled = false is that it also disables gfx (and plugin) blocklist, and I'm not sure about the consequences of not having the GFX blocklist for some users.

Something we could try is setting extensions.blocklist.useXML = false, which should enable the RemoteSetting implementation of those Blocklists. I don't see this one sending all these fields, just etag and timestamps, as the other RemoteSettings polls. But I don't know the status of that implementation, there must be some reason why it's not enabled by default.

Last edited 12 months ago by acat (previous) (diff)
Note: See TracTickets for help on using tickets.