Opened 4 years ago

Last modified 12 months ago

#16931 new defect

Sanitize the add-on blocklist update URL

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: basvd, yawning, skeletonchimp Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The default value of the extensions.blocklist.url preference is

and sends detailed information about the operating system to Mozilla.

However, Mozilla's list of blocked add-ons and certificates is not OS specific, and updates just need

so that should be the default value of extensions.blocklist.url in Tor Browser.

Child Tickets

Change History (7)

comment:1 Changed 2 years ago by gk

Severity: Normal

FWIW: Mozilla is moving to Kinto-based systems that allow a more fine-grained blocklist mechanism:

comment:2 Changed 2 years ago by gk

Cc: basvd yawning added

#22966 is a duplicate.

comment:3 Changed 2 years ago by gk

We could think about disabling that feature. One thing that makes me a bit reluctant to choose that path over the sanitizing approach is that we allow extensions to be installed in Tor Browser. Thus, users having custom extensions installed would benefit from a fast way to get those blocked in case Mozilla detects critical issues with them.

comment:4 Changed 12 months ago by gk

Cc: skeletonchimp added

comment:5 Changed 12 months ago by skeletonchimp

I strongly suggest disabling this feature and hopefully including the fix in the next version of TBB.

I believe the Severity and Priority of this ticket should be increased to the highest value!

Meanwhile, is the TBB user to manually blank the Value of extensions.blocklist.url until this is fixed? Would the user need to include a modification of extensions.blocklist.enabled to false, or would this break too much?

A user posted about this here:

Oddly enough, I had noticed this issue when I was reviewing 'about:cache?device=memory' in Tor Browser 8.0 and noticed a strange link, then found the user's post. Thanks, gk, for noticing my post in #3555, which I found via #6734.

comment:6 Changed 12 months ago by traumschule

i don't like that either

comment:7 Changed 12 months ago by traumschule

TB users do not install extensions so we do not need this and can set extensions.blocklist.enabled to false.

However the info on
may be outdated:

N/A - no information will be sent to any site due to this project except possibly application ID as we do for application and extension update checks.


Note: See TracTickets for help on using tickets.