Opened 19 months ago

Closed 19 months ago

Last modified 15 months ago

#24072 closed defect (wontfix)

Block Web Extensions from controlling crucial privacy preferences

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

By https://bugzilla.mozilla.org/show_bug.cgi?id=1397611 Web Extensions may be able to control crucial about:config prefs such as privacy.resistFingerprinting. This shouldn't happen (what if user installs an addon that actually disables that pref?)

Child Tickets

Change History (3)

comment:1 in reply to:  description Changed 19 months ago by gk

Resolution: wontfix
Status: newclosed

Replying to cypherpunks:

By https://bugzilla.mozilla.org/show_bug.cgi?id=1397611 Web Extensions may be able to control crucial about:config prefs such as privacy.resistFingerprinting. This shouldn't happen (what if user installs an addon that actually disables that pref?)

They should not do that. That's the same as with the current XPCOM-based extensions. Even though WebExtensions are less powerful than XPCOM-based ones there is still risk of interference that can lead to privacy loss/information disclosure. I think that's nothing Tor Browser can and should enforce without messing with extensions the users explicitly wants to have installed.

comment:2 Changed 15 months ago by cypherpunks

Keywords: ff59-esr removed

comment:3 Changed 15 months ago by tom

Well, there is https://bugzilla.mozilla.org/show_bug.cgi?id=440908 which might land in 60 or shortly thereafter.

When that lands, I would actually suggest that TB consider locking certain high value prefs (FPI, RFP, and the proxy ones.) That would help protect users from WebExtensions _and_ it might provide some layer of defense in depth from exploits (imagine a vulnerability that allowed an attacker to set arbitrary prefs.)

I'm not arguing that it would be a strong security barrier. I am suggesting it could be a low-risk, low-effort mechanism to add some protection.

Note: See TracTickets for help on using tickets.