[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 25 13:45:19 UTC 2017


#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
--------------------------------------------+--------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  task                            |         Status:  new
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201702  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:  Sponsor4
--------------------------------------------+--------------------------

Comment (by mcs):

 Here are some things Kathy and I found while reviewing Firefox 48 changes
 (we will need to file separate tickets for some of these, but as a first
 pass I am posting our notes in this ticket):

 a) We should probably make sure screen sharing is disabled. Maybe this is
 covered by our removal of WebRTC, but we could also set these pref values
 to be sure:
  media.getusermedia.screensharing.enabled = false
  media.getusermedia.screensharing.allowed_domains = ""

 b) Some safe browsing prefs have been renamed and other functionality has
 been added. We should disable all of it via the following pref values:
  browser.safebrowsing.downloads.enabled = false
  browser.safebrowsing.downloads.remote.enabled = false
  browser.safebrowsing.malware.enabled = false
  browser.safebrowsing.phishing.enabled = false
  browser.safebrowsing.blockedURIs.enabled = false

 c) We should return a constant value for
 window.navigator.hardwareConcurrency.
  https://developer.mozilla.org/en-
 US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency

 d) From a fingerprinting perspective, the following bug is a little scary
 (consult Firefox prefs from CSS) but use seems to be limited to internal
 style sheets:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1259889

 e) Mozilla sites can check whether an add-on is installed and retrieve
 some metadata. Do we want to disable this?
  https://bugzilla.mozilla.org/show_bug.cgi?id=1245571

 f) APIs to allow access to some internal Firefox services from remote New
 Tab pages (hosted on mozilla.org servers) have been added. We should
 figure out how to disable them.
  PreviewProvider Messaging API
   https://bugzilla.mozilla.org/show_bug.cgi?id=1239119
  NewTabPrefsProvider Messaging API
   https://bugzilla.mozilla.org/show_bug.cgi?id=1239118
  PlacesProvider Messaging API
   https://bugzilla.mozilla.org/show_bug.cgi?id=1239116

 g) We may want to skip importing a certificate on Windows to support
 Microsoft Family Safety by setting:
  security.family_safety.mode = 0
  https://bugzilla.mozilla.org/show_bug.cgi?id=1239166

 h) We may want to document for our Linux users that add-ons installed in
 the following directory do not have to be signed by Mozilla:
   /usr/{lib,share}/mozilla/extensions

 i) If we enable e10s/multiprocess mode, we should document for our users
 that it will be disabled if accessibility tools are used.
  https://bugzilla.mozilla.org/show_bug.cgi?id=1260190

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list