#21684 closed defect (fixed)

AMO has access to installed extensions with window.navigator.AddonManager in ESR 52

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, tbb-7.0-must, TorBrowserTeam201705R, GeorgKoppen201705
Cc: tbb-team Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

https://bugzilla.mozilla.org/show_bug.cgi?id=1255039 and dependent bugs implemented a way in which addons.mozilla.org is able to gather data about extensions the user has installed (and be it just a "yes/no"). We don't want this.

Child Tickets

Change History (8)

comment:1 Changed 19 months ago by cypherpunks

If we don't trust AMO, we should also remove it from exceptions of "Warn me when sites try to install add-ons".

comment:2 Changed 18 months ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201703 removed

Remmove remaining tickets over to April

comment:3 Changed 17 months ago by gk

Keywords: TorBrowserTeam201705 added; TorBrowserTeam201704 removed

Moving our tickets to May 2017.

comment:4 Changed 16 months ago by gk

Keywords: tbb-7.0-must added; ttb-7.0-must removed

comment:5 Changed 16 months ago by gk

Cc: tbb-team added
Keywords: GeorgKoppen201705 added
Owner: changed from tbb-team to gk
Status: newassigned

comment:6 Changed 16 months ago by gk

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201705 removed
Status: assignedneeds_review

bug_21684 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_21684&id=b2f8585b66dc2856463950c7239015585a8481e3) has a patch for review.

FWIW: I pondered quite a while whether we should disable this API for both chrome and content but finally opted for doing so just for the latter. There might be breakage involved (especially in the longer run) by not allowing Firefox internals to use it. However, I am not sold to this. Thus, if there are good arguments for kicking window.navigator.AddonManager fully out let me know and we can reconsider it.

comment:7 Changed 16 months ago by mcs

r=mcs
Looks good to me, and the approach seems sound as well.
My only nit is that in the commit message you should s/Priviledged/Privileged/ (remove the extra 'd').

comment:8 Changed 16 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Fixed and applied to tor-browser-52.1.1esr-7.0-1 and tor-browser-52.1.0esr-7.0-2 (commit 9de9d5a74472423e5a7e5754f5d93b2d89103dfe and e5da14c4ae6e3917928b3004bca7bd49e972089e).

Note: See TracTickets for help on using tickets.