[tbb-dev] "Open with" vs. confinement of Tor Browser

anonym anonym at riseup.net
Sun Nov 1 17:30:55 UTC 2015

> Hi,
> when we've started confining Tor Browser with AppArmor in Tails, we
> introduced a usability regression: when downloading a file, we let the
> user choose between "Save as" and "Open with", while we know that
> "Open with" will always fail.
> I see two main options:
> 1. Add an option to Tor Browser to never propose opening a downloaded
>    file with an external application.

This would of course be ideal. Personally I find the fact that it is the
web server that decides the MIME type another reason for completely
removing "Open with..." (perhaps in the "vanilla" (i.e. non-Tails) Tor
Browser too?). I'm not sure if there's an attack vector there, but it
just feels wrong, and creates an inconsistent UX. For instance,
depending which Tails mirror is picked when trying to download the .iso
or .sig, the download may have the "Open with..." option, or it may not.

FWIW, in our ticket about this [1] I investigated some add-ons that
modify the download dialog. A cheap way to implement this may be to just
always drop the MIME info so the "Save as"/"Cancel" dialog always is used.

> 2. Display a custom pre-download dialog that makes users aware of the
>    limitations ("the next dialog window lies ⇒ don't even try choosing
>    'Open with'")

This is a hack! :)

However, in the "vanilla" Tor Browser I think the current warning would
be improved if it were moved from the separate dialog into the download
dialog, e.g. the warning is shown underneath the "Open with..." radio
button whenever it is selected.


[1] https://labs.riseup.net/code/issues/9285

More information about the tbb-dev mailing list