commit a0620db9e7cd08e3d67a42d0c5b1067d5b3ed355 Author: Igor Oliveira igt0@torproject.org Date: Wed Aug 22 15:51:32 2018 -0300
Bug 27271 - Don't allow the user to install extensions from web
An attacker can send a tampered torbutton extension to the user and TBA, currently, is not able to verify if the torbutton extension was built by Tor. --- mobile/android/app/000-tor-browser-android.js | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/mobile/android/app/000-tor-browser-android.js b/mobile/android/app/000-tor-browser-android.js index 399c6f07718b..04a613092e6d 100644 --- a/mobile/android/app/000-tor-browser-android.js +++ b/mobile/android/app/000-tor-browser-android.js @@ -56,3 +56,8 @@ pref("general.useragent.updates.url", "");
// Override this because Orbot uses 9050 as the default pref("network.proxy.socks_port", 9050); + +// Do not allow the user to install extensions from web +pref("xpinstall.enabled", false); +pref("extensions.enabledScopes", 1); +pref("extensions.autoDisableScopes", 1);