[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 8 16:00:39 UTC 2017
#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
Reporter: gk | Owner: tbb-
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-7.0-must, | Actual Points:
TorBrowserTeam201703, GeorgKoppen201703 |
Parent ID: | Points:
Reviewer: | Sponsor:
Comment (by gk):
Replying to [comment:11 mcs]:
> Here are some things Kathy and I found while reviewing Firefox 48
changes (we will need to file separate tickets for some of these, but as a
first pass I am posting our notes in this ticket):
> a) We should probably make sure screen sharing is disabled. Maybe this
is covered by our removal of WebRTC, but we could also set these pref
values to be sure:
> media.getusermedia.screensharing.enabled = false
> media.getusermedia.screensharing.allowed_domains = ""
That seems to be nothing new or did something related to those prefs
change between ESR 45 and ESR 52?
> b) Some safe browsing prefs have been renamed and other functionality
has been added. We should disable all of it via the following pref values:
> browser.safebrowsing.downloads.enabled = false
> browser.safebrowsing.downloads.remote.enabled = false
> browser.safebrowsing.malware.enabled = false
> browser.safebrowsing.phishing.enabled = false
> browser.safebrowsing.blockedURIs.enabled = false
This is #21683.
> c) We should return a constant value for
This is #21675. Note the related one, #18559.
> d) From a fingerprinting perspective, the following bug is a little
scary (consult Firefox prefs from CSS) but use seems to be limited to
internal style sheets:
Yes. Looking over it it seems to be okay having even a test showing this
is a non-issue for non-priv contexts.
> e) Mozilla sites can check whether an add-on is installed and retrieve
some metadata. Do we want to disable this?
Yes. This is bug #21684.
> f) APIs to allow access to some internal Firefox services from remote
New Tab pages (hosted on mozilla.org servers) have been added. We should
figure out how to disable them.
> PreviewProvider Messaging API
> NewTabPrefsProvider Messaging API
> PlacesProvider Messaging API
This is #21685.
> g) We may want to skip importing a certificate on Windows to support
Microsoft Family Safety by setting:
> security.family_safety.mode = 0
Yes, in #21686.
> h) We may want to document for our Linux users that add-ons installed in
the following directory do not have to be signed by Mozilla:
Maybe, although I still think we should not propagate things that deviate
from the Tor Browser as we ship it.
> i) If we enable e10s/multiprocess mode, we should document for our users
that it will be disabled if accessibility tools are used.
There are a bunch more conditions where this holds. I made a note in
Other items I have
j) prefetch in the network predictor is implemented
(https://bugzilla.mozilla.org/show_bug.cgi?id=1016628). I opened #21687.
k) There is a search service update feature available we ignored up to now
(I stumbled over it while readin
https://bugzilla.mozilla.org/show_bug.cgi?id=1259510). We should
investigate whether that is an issue for us. This is done in #21688.
l) `Element.animate()` got shipped
(https://bugzilla.mozilla.org/show_bug.cgi?id=1245000) that part of the
Animations API seems to be available right now. I moved #16337 for that
back onto our ESR 52 radar.
m) Fetch RequestCache got implemented
(https://bugzilla.mozilla.org/show_bug.cgi?id=1120715). Not sure if that
is a thing we should care about. But if so, it has to respect our design
guidelines. This is #21689.
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs