Opened 3 years ago

Last modified 14 months ago

#16931 new defect

Sanitize the add-on blocklist update URL

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: basvd, yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The default value of the extensions.blocklist.url preference is

https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

and sends detailed information about the operating system to Mozilla.

However, Mozilla's list of blocked add-ons and certificates is not OS specific, and updates just need

https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/

so that should be the default value of extensions.blocklist.url in Tor Browser.

Child Tickets

Change History (3)

comment:1 Changed 17 months ago by gk

Severity: Normal

FWIW: Mozilla is moving to Kinto-based systems that allow a more fine-grained blocklist mechanism: https://wiki.mozilla.org/Firefox/Kinto

comment:2 Changed 14 months ago by gk

Cc: basvd yawning added

#22966 is a duplicate.

comment:3 Changed 14 months ago by gk

We could think about disabling that feature. One thing that makes me a bit reluctant to choose that path over the sanitizing approach is that we allow extensions to be installed in Tor Browser. Thus, users having custom extensions installed would benefit from a fast way to get those blocked in case Mozilla detects critical issues with them.

Note: See TracTickets for help on using tickets.