Opened 18 months ago

Last modified 9 months ago

#23664 new defect

Deal with UUID for content sandbox temp folder on Windows and Mac

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, tbb-disk-leak
Cc: tom Actual Points:
Parent ID: #23658 Points:
Reviewer: Sponsor:

Description (last modified by gk)

comment:56:ticket:16010 mentioned:

Very important side issue is that the sandboxing feature adds `security.sandbox.content.tempDirSuffix` pref which is a 128-bit GUID that allows to uniquely identify your copy of Tor Browser. It is persistent and leaves unique traces on every machine you use in system %TEMP% folder.

We should find a good way dealing with that. Maybe a first start is to set the pref, so that every Windows user has the same sandbox temp dir name.

Child Tickets

Change History (7)

comment:1 Changed 18 months ago by gk

Description: modified (diff)

comment:2 Changed 18 months ago by tom

Cc: tom added

comment:3 Changed 18 months ago by cypherpunks

Summary: Deal with GUID for content sandbox temp folder on WindowsDeal with UUID for content sandbox temp folder on Windows and Mac

We need to redirect NS_OS_TEMP_DIR to \Tor Browser\Browser\TorBrowser\Data\Browser\Caches\profile.default or something similar. And it is overridden by NS_APP_CONTENT_PROCESS_TEMP_DIR https://hg.mozilla.org/mozilla-central/rev/5136dcccfe4a#l4.13
Temp directory suffix can be set via pref https://hg.mozilla.org/mozilla-central/rev/5136dcccfe4a#l2.145
on Mac too https://dxr.mozilla.org/mozilla-esr52/source/browser/app/profile/firefox.js#1019

comment:5 Changed 14 months ago by cypherpunks

Priority: MediumHigh
Severity: NormalMajor

It's unbelievable you put unique traces into release :-(

comment:6 in reply to:  description Changed 9 months ago by cypherpunks

Replying to gk:

Maybe a first start is to set the pref, so that every Windows user has the same sandbox temp dir name.

Do at least that. No improvements found in ESR60.

comment:7 Changed 9 months ago by cypherpunks

Nothing to say when we still have persistent web-visible UUID if https://bugzilla.mozilla.org/show_bug.cgi?id=1374721#c5

Last edited 9 months ago by cypherpunks (previous) (diff)
Note: See TracTickets for help on using tickets.