I mentioned in IRC today that the Mac Sandbox in 60 at least (but possibly also in 52!!) blocks network access.
I got added to https://bugzilla.mozilla.org/show_bug.cgi?id=1281296 today, which talks about Linux, and is promising!
And finally there's Windows, which is blocked by https://bugzilla.mozilla.org/show_bug.cgi?id=1432303 at least (possibly some others.)
-tom
On 15 March 2018 at 17:04, Nicolas Vigier boklm@mars-attacks.org wrote:
On Thu, 15 Mar 2018, Tom Ritter wrote:
45 seconds ago I just learned about the environment variable MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing environment. It feeds through to one real location in the browser: nsSocketTransport2 https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08...
This isn't a sandbox. If an attacker has code execution (parent or content process) they can make network connections manually from system libraries and will never touch this code. But it might be a way to add (some) assurance about browser features accidentally bypassing the proxy.
So I'm wondering if this is something Tor Browser can set for defense in depth. In fact, it's already in esr52: https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisable... I tried to get Tor Browser to unset the proxy but couldn't seem to get it to work; is there a patch that prevents this?
Even if it doesn't add a lot of protection, it doesn't cost a lot to enable it, so it sounds like a good idea.
tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev