Deprecate the volatile extension dir options

Having massive "foot + gun" options in general is bad practice.

The volatile extension dir gives firefox more write access than what anyone that's vaguely security conscious should be comfortable with, to critical browser components, and there's the ongoing `about:addons` fisasco.

added component::archived/tor browser sandbox owner::yawning priority::medium resolution::fixed severity::normal status::closed type::enhancement labels

Please don't, sandboxed tor browser + enabling addons is still WAY more secure than vanilla Tor Browser. And you already put a very big "UNSAFE" next to them.

Volatile Extensions Dir: https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=701c0656be16440203147eb0ea6104486bb77096

I still need to think about ffmpeg, but really what should happen is that Tor Browser should bundle their own copy if it's that critical to functionality instead of pulling in one of 7 different .so files via dlopen.

Trac:
Status: new to accepted

It looks like the browser people sort of considered the ffmpeg situation at #18946 (moved), and I initially added the pref in #20806 (closed).

The list of shared objects that FF will pull appears to be hardcoded in dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp. When I initially wrote this, it was also pulling in libgstreamer (which has explicitly always been rejected via the fine grained shared object code), but maybe that's gone now.

    "libavcodec-ffmpeg.so.57",
    "libavcodec-ffmpeg.so.56",
    "libavcodec.so.57",
    "libavcodec.so.56",
    "libavcodec.so.55",
    "libavcodec.so.54",
    "libavcodec.so.53",

    // "libgstreamer-0.10.so.0",
    // "libgstapp-0.10.so.0",
    // "libgstvideo-0.10.so.0",

The extra codec deprecation is now #22933 (closed), and this ticket is fixed in master.

Trac:
Summary: Deprecate the extra codecs/volatile extension dir options to Deprecate the volatile extension dir options
Description: Having massive "foot + gun" options in general is bad practice.

The extra codecs will expose ffmpeg to the browser container, which is a concrete increase in attack surface for questionable gain (gstreamer is never allowed).

The volatile extension dir gives firefox more write access than what anyone that's vaguely security conscious should be comfortable with, to critical browser components, and there's the ongoing about:addons fisasco.

to

Having massive "foot + gun" options in general is bad practice.

The volatile extension dir gives firefox more write access than what anyone that's vaguely security conscious should be comfortable with, to critical browser components, and there's the ongoing `about:addons` fisasco.

Trac:
Resolution: N/A to fixed
Status: accepted to closed

closed

mentioned in issue #22933 (closed)