Make sure Torbutton and Tor Launcher are not treated as legacy extensions

We should avoid that Tor Launcher and Torbutton get treated as second class add-ons due to them still being based on XPCOM (e.g. getting shown on a separate add-on panel and not listed on the default about:addons page).

Setting extensions.legacy.enabled to true and adding the extensions IDs to extensions.legacy.exceptions should fix that.

added TorBrowserTeam201805R component::applications/tor browser ff60-esr owner::tbb-team priority::very high resolution::fixed severity::normal status::closed type::defect labels

I was nervous about this, so I checked with aswan.

This pref just changes the UI, so that's okay.

TB will (probably) want to build with MOZ_REQUIRE_SIGNING enabled; otherwise users can install legacy extensions at will.

When we bake a new certificate into the browser to sign our own legacy extensions, we'll need to set the OU to match what's in https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/internal/XPIInstall.jsm#941 to make sure it gets the correct treatment.

Replying to tom:

I was nervous about this, so I checked with aswan.

This pref just changes the UI, so that's okay.

TB will (probably) want to build with MOZ_REQUIRE_SIGNING enabled; otherwise users can install legacy extensions at will.

Yes.

When we bake a new certificate into the browser to sign our own legacy extensions, we'll need to set the OU to match what's in https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/internal/XPIInstall.jsm#941 to make sure it gets the correct treatment.

Good point. I think the signing bits are for #22971 (moved), though (even though it seems we need to slightly repurpose that bug).

Trac:
Keywords: N/A deleted, ff60-esr added

A fix for this bug is up in my bug_26127 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_26127&id=4eaeeb9b41e6509b97e3dd216a2e92572fc9b37b). Please review.

Trac:
Keywords: N/A deleted, TorBrowserTeam201805R added
Status: new to needs_review

Replying to gk:

A fix for this bug is up in my bug_26127 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_26127&id=4eaeeb9b41e6509b97e3dd216a2e92572fc9b37b). Please review.

I noticed it's possible to set "extensions.legacy.enabled" to false and you can still whitelist torbutton and tor-launcher using "extensions.legacy.exceptions". This might be a little safer by still providing a warning for any other legacy extensions installed.

So I'd suggest removing the "extensions.legacy.enabled" line. The other two lines of code look good to me.

Replying to arthuredelstein:

Replying to gk:

A fix for this bug is up in my bug_26127 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_26127&id=4eaeeb9b41e6509b97e3dd216a2e92572fc9b37b). Please review.

I noticed it's possible to set "extensions.legacy.enabled" to false and you can still whitelist torbutton and tor-launcher using "extensions.legacy.exceptions". This might be a little safer by still providing a warning for any other legacy extensions installed.

So I'd suggest removing the "extensions.legacy.enabled" line. The other two lines of code look good to me.

Thanks. I did so and change the exception line and the comment a bit taking into account that we don't want to have a warning for the default them showing up as this is confusing. I removed the whitespace between the extension IDs as sukhbir suggested even though that does not matter.

Applied to tor-browser-60.0.1esr-8.0-1 as commit 30544586f8a98e985e0038b2e905bfddb14e999e.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

closed

mentioned in issue #29347 (moved)

mentioned in issue tpo/anti-censorship/pluggable-transports/meek#29347 (closed)

moved to tpo/applications/tor-browser#26127 (closed)