Opened 2 years ago

Closed 2 years ago

#22899 closed defect (fixed)

`about:addons`'s "Get Addons" pane is unsafe and should be treated as such.

Reported by: yawning Owned by: yawning
Priority: Medium Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: #22900 Points:
Reviewer: Sponsor:

Description

https://github.com/mozilla/addons-frontend/issues/2785

Right now the about:addons page loads an iFrame with content hosted on a Mozilla
website ("The Discovery Pane"). This page contains Google Analytics. Because we
don't allow add-ons to run on about:* pages, add-ons that would block GA don't
work here.

It appears that they are making this DNT based, which is entirely inadequate as any form of user tracking should be explicitly opt-in. My plan unless people tell me otherwise is to totally reject requests to discovery.addons.mozilla.org unless Modifiable Extensions is enabled.

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by yawning

Parent ID: #22900

Add the Tor Browser bug.

comment:2 Changed 2 years ago by yawning

Resolution: fixed
Status: newclosed

https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=e06085d63ed1d9b33787e04172365db2179003e1

If users choose to bolt more stuff onto the sandboxed Tor Browser, their warranty is void, but this at least protects people that don't make poor life decisions.

Note: See TracTickets for help on using tickets.