[tbb-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 19 09:15:29 UTC 2017
#22974: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
--------------------------------------+--------------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [ticket:22974 tom]:
> 3) In 59, when Web Extensions are around this won't be as big of a
concern. Mozilla can't get code execution but could neuter the effect of
an add-on or turn it into spyware (assuming we keep extension updating in
place). Whether web extensions will support an updateKey mechanism is an
open question (they don't now, EFF wants it. Tor might wish to lend
support to the argument. If Tor could get another partner repack to join
in that would help even more I bet.)
To be honest I am not sure whether we as Tor should push for that. On one
hand that allows to add an extra layer of security which is a good thing
for all Firefox users but on the other hand do we want to get rid of
extension update pinging and extension updating via AMO in our default Tor
Browser configuration as a result of the HPKP fiasco (see #20146).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22974#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list