[tbb-bugs] #31144 [Applications/Tor Browser]: ESR68 Network Code Review

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 9 23:37:16 UTC 2019


#31144: ESR68 Network Code Review
-------------------------------------------------+-------------------------
 Reporter:  pili                                 |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201910, tbb-9.0        |  Actual Points:
  -alpha-must                                    |
Parent ID:                                       |         Points:  10
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by mikeperry):

 Ok, I'm wrapping this up. I have the following questions/observations
 first:
 1. ./devtools/shared/discovery/discovery.js uses UDP multicast for
 debugger discovery. This should only be local network, but maybe we should
 disable it anyway. Do we?
 2. ./dom/presentation/PresentationTCPSessionTransport.cpp seems to use TCP
 for app-to-app communication. Do we disable the DOM presentation stuff?
 3. ./toolkit/modules/secondscreen/RokuApp.jsm also makes connections..
 ISTR disabling this? Is it off?
 4. For Rust, I found sendmsg and recvmsg only in mio and audioipc. I think
 this is fine? (I am asking about those two because Ritter's tool
 whitelisted them and I wanna double check).
 5. Otherwise has Ritter's network symbol tool been run on FF68ESR for
 Rust?
 6. I found a lot of instances where it looks like Android could use
 Intents to open external apps. Most of the obvious ones route through
 IntentHelper.openUriExternal() from
 ./mobile/android/base/java/org/mozilla/gecko/IntentHelper.java, which has
 some logic to show prompts in private browsing mode.. Do we set private
 browsing mode? Can users turn it off? Here's the files that call that
 function:
   -
 ./mobile/android/base/java/org/mozilla/gecko/activitystream/homepanel/menu/ActivityStreamContextMenu.java
   - ./mobile/android/base/java/org/mozilla/gecko/BrowserApp.java
   - ./mobile/android/base/java/org/mozilla/gecko/ChromeCastDisplay.java
   - ./mobile/android/base/java/org/mozilla/gecko/home/HomeFragment.java
 7. I have not dug through all of the Android code for *all* Intent usage..
 Should I? Has anyone?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31144#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list