Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#27277 closed defect (wontfix)

I got a message in TorBrowser asking me to Approve new permissions

Reported by: Dbryrtfbcbhgf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I got a message in TorBrowser asking me to Approve new permissions. Here is a
TorBrowser 8.0a10

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by Dbryrtfbcbhgf

This message may be scary for end users, making it sound like it could possible compromise them.

comment:2 Changed 2 years ago by gk

That's happening in a vanilla Firefox as well. I am not convinced we should override this mechanism. At least not before hearing Mozilla's rationale for doing so.

comment:3 Changed 2 years ago by legind

It looks like adding the ability to block FTP requests when the "Block all unencrypted requests" option is checked triggered this warning: This is really unintuitive from the warning itself, and in my opinion Firefox should change that wording - it only serves to discourage security-conscious people from using the extension. I apologize for this unexpected and frightening warning.

comment:4 Changed 2 years ago by legind

Why this is showing up in the alpha channel and not in the ESR-based stable channel is explained here:

comment:5 Changed 2 years ago by gk

Resolution: wontfix
Status: newclosed

Thanks for the pointers, legind, much appreciated. I guess there is nothing we can do here from the Tor Browser side (at least not in this particular case). If you file a bug at Mozilla's bug tracker, I'd be happy to get CCed, thanks!

comment:6 Changed 2 years ago by traumschule

It's fine to ask but bad to not show the changelog or .xpi fingerprint:

  * Adding a warning to pages which 'Block all unencrypted requests' is unable to upgrade
  * Adding a UX that enables users to add, delete, and edit update channels
  * Reduces memory overhead by optimizing exclusion regex
  * Block insecure FTP connections when 'Block all unencrypted requests' is checked
  * Bundled ruleset updates

With this update users (or scripts) can add new update channels. Not necessarily a good thing.

Note: See TracTickets for help on using tickets.