Opened 22 months ago

Last modified 22 months ago

#22642 new defect

TorBrowser 7.x Mac - Disable kMDItemWhereFroms extended attributes at least in Private Browsing Mode

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak
Cc: DrMikeTwiddle Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In late 2016, Mozilla developers implemented kMDItemWhereFroms extended attribute metadata on macOS to behave more like Safari (however Safari, rather surprisingly for Apple, doesn't write xattrs in private browsing).

When files are downloaded, Firefox (v51+) writes the URL of downloaded files to a kMDItemWhereFroms entry in the file's extended attribute, even in Private Browsing mode. This metadata can be viewed using "xattr -l <file>" and removed using "xattr -rc <file>", but on later versions of 10.12 this metadata is usually also written to ~Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

I plan to file a bug on bugzilla and ask the devs who implemented it whether they could add an about:config pref or disable the functionality in private browsing, but in case they don't respond, I thought I'd file a ticket here too since TorBrowser is now on v52ESR.

Here's the bugzilla bug where the developers originally implemented the kMDItemWhereFroms functionality.

https://bugzilla.mozilla.org/show_bug.cgi?id=337051

Child Tickets

Change History (2)

comment:1 Changed 22 months ago by cypherpunks

Here is the mozilla bugzilla bug I created. https://bugzilla.mozilla.org/show_bug.cgi?id=1374027

comment:2 Changed 22 months ago by gk

Cc: DrMikeTwiddle added
Keywords: tbb-disk-leak added

#22904 is a duplicate.

Note: See TracTickets for help on using tickets.