[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr
#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, TorBrowserTeam201702 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: Sponsor4
--------------------------------------------+--------------------------
Comment (by mcs):
Here are some things Kathy and I found while reviewing Firefox 48 changes
(we will need to file separate tickets for some of these, but as a first
pass I am posting our notes in this ticket):
a) We should probably make sure screen sharing is disabled. Maybe this is
covered by our removal of WebRTC, but we could also set these pref values
to be sure:
media.getusermedia.screensharing.enabled = false
media.getusermedia.screensharing.allowed_domains = ""
b) Some safe browsing prefs have been renamed and other functionality has
been added. We should disable all of it via the following pref values:
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.downloads.remote.enabled = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.blockedURIs.enabled = false
c) We should return a constant value for
window.navigator.hardwareConcurrency.
https://developer.mozilla.org/en-
US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency
d) From a fingerprinting perspective, the following bug is a little scary
(consult Firefox prefs from CSS) but use seems to be limited to internal
style sheets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1259889
e) Mozilla sites can check whether an add-on is installed and retrieve
some metadata. Do we want to disable this?
https://bugzilla.mozilla.org/show_bug.cgi?id=1245571
f) APIs to allow access to some internal Firefox services from remote New
Tab pages (hosted on mozilla.org servers) have been added. We should
figure out how to disable them.
PreviewProvider Messaging API
https://bugzilla.mozilla.org/show_bug.cgi?id=1239119
NewTabPrefsProvider Messaging API
https://bugzilla.mozilla.org/show_bug.cgi?id=1239118
PlacesProvider Messaging API
https://bugzilla.mozilla.org/show_bug.cgi?id=1239116
g) We may want to skip importing a certificate on Windows to support
Microsoft Family Safety by setting:
security.family_safety.mode = 0
https://bugzilla.mozilla.org/show_bug.cgi?id=1239166
h) We may want to document for our Linux users that add-ons installed in
the following directory do not have to be signed by Mozilla:
/usr/{lib,share}/mozilla/extensions
i) If we enable e10s/multiprocess mode, we should document for our users
that it will be disabled if accessibility tools are used.
https://bugzilla.mozilla.org/show_bug.cgi?id=1260190
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs