[tor-bugs] #9454 [TorBrowserButton]: Torbrowser shouldn't load any plugins if user didn't changed security settings
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Aug 15 16:00:27 UTC 2013
#9454: Torbrowser shouldn't load any plugins if user didn't changed security
settings
------------------------------+---------------------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone:
Component: TorBrowserButton | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Comment(by cypherpunks):
Replying to [ticket:9454 cypherpunks]:
> plugin was loaded to browser's address space already.
It's not how a Gecko Plug-in works. https://developer.mozilla.org/en-
US/docs/Gecko_Plugin_API_Reference/Plug-
in_Basics#Understanding_the_Runtime_Model
No any code loaded in to memory till it required, according this document.
It's absolutely safe to enumerate any system-wide installed plug-ins as
long as Torbutton disables plug-in with exist code. If any code can bypass
Torbutton protections then it can bypass Torbutton entirely and do even
worse things than it.
The only concern may keep is monitoring of plug-in existence in add-ons
list. But that is paranoia on a basis of insufficient information.
I suggest to close this bug as wontfix or notabug.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9454#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list