[tbb-bugs] #21396 [Applications/Tor Browser]: Torbutton breaks Session Manager addon

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 9 10:44:35 UTC 2017 

#21396: Torbutton breaks Session Manager addon
-------------------------------------------------+-------------------------
 Reporter:  HolD                                 |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-6.5-regression,                  |  Actual Points:
  TorBrowserTeam201702, GeorgKoppen201702        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * cc: lnl (added)


Comment:

 Replying to [comment:7 yawning]:
 > Replying to [comment:6 gk]:
 > > Session Manager does not like it that
 `chrome://sessionmanager/locale/sessionmanager.dtd` and
 `chrome://sessionmanager/locale/options.dtd` are blocked by our fix for
 #8725. Things like `&toolbar.tooltip` need to be available for content
 after the first installation. HolD: does adding the toolbar buttons
 manually to the toolbar work for you?
 >
 > What's the origin URI when the requests make it to the content policy?
 If this is one of the cases where `aRequestOrigin` can basically be
 anything, the only way to solve this would be to whitelist the relevant
 URIs.  Note that, doing so will make it trivial for sites to fingerprint
 if the addon is present or not (then again, people installing extra
 addons/plugins void the non-existent warranty in the first place).

 `moz-nullprincipal:{1f22744b-c4db-41b6-8d6e-3d06c176578e}`. Looking at the
 docs it seems like checking for that one would be okay. But this is not a
 solution that scales well. I wonder if we should just add a preference
 `extensions.torbutton_resource_and_chrome_uri_fingerprinting` and set that
 to `false` by default allowing users to override it and to disable the
 content policy hack. Maybe UX folks have an idea.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21396#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list