[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #31730 [Applications/Tor Browser]: Revert aarch64 fixup for ESR 60-based bundles with Tor Browser 9

#31730: Revert aarch64 fixup for ESR 60-based bundles with Tor Browser 9
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_revision
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, tbb-parity,              |  Actual Points:
  TorBrowserTeam201910 tbb-9.0-must              |
Parent ID:                                       |         Points:  0.5
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by acat):

 In the first version which I didn't push I was doing a similar thing,
 reusing the function `read_setting_from_prefs`. I think I switched to just
 checking the security level because I thought in any case it would be
 possible to set these prefs to `true` without user wanting, and that it
 would not be very likely that a user which did not change the security
 level slider would have set `ion`, `baselinejit` and `native_regexp`
 manually to `false`.

 But I think the one you suggest is probably better here, it's on the safer
 side. It's true that there could be the case that a user kept level 4 and
 just flipped some of `media.webaudio.enabled`, `mathml.disabled`,
 `gfx.font_rendering.opentype_svg.enabled` or `svg.disabled`, in which case
 with the this fix we would wrongly keep `ion`, `baselinejit` or
 `native_regexp` to `false` (with an unnecessary performance hit). But
 given that no solution is perfect, I think it's better to prioritize
 security over performance.

 For both fixes, there's always the case that for a user who kept security
 level to 4 and disabled `ion`, `baselinejit` or `native_regexp` we will be
 wrongly enabling these. So I think in any case having some warning it's
 good, not sure where. Probably somewhere in release notes and/or blog post
 is enough.

 So here is the revised fix:
 https://github.com/acatarineu/torbutton/commit/31730+2

 I'm also checking that the slider value is 4, to rule out cases where user
 moved the security slider to < 3 but flipped some prefs in a way that
 those have the same value as level 4 (very unlikely, but...).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31730#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs