[tbb-bugs] #21685 [Applications/Tor Browser]: Remote New Tab pages have access to internal browser APIs in Firefox 52

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 12 08:38:08 UTC 2017


#21685: Remote New Tab pages have access to internal browser APIs in Firefox 52
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must-alpha,        |  Actual Points:
  TorBrowserTeam201705R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):

 * status:  new => needs_review
 * keywords:  ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705 =>
     ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705R


Comment:

 The `browser.newtabpage.remote` pref is set to false in Firefox 52ESR by
 default. I looked at the relevant code and tried toggling the pref
 manually and I am convinced that remote pages are disabled in new tabs
 when the pref is false. So I don't think we need to worry about these
 additional APIs being accessed by remote pages.

 We can also set the pref to false ourselves (redundantly) to be sure this
 doesn't change in the future. Here's a patch that does that:
 https://github.com/arthuredelstein/tor-browser/commit/21685

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21685#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list