[tor-bugs] #10280 [Firefox Patch Issues]: Torbrowser shouldn't load flash into the process space by default

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 6 23:05:40 UTC 2013 

#10280: Torbrowser shouldn't load flash into the process space by default
--------------------------------------+-----------------
     Reporter:  mikeperry             |      Owner:
         Type:  enhancement           |     Status:  new
     Priority:  normal                |  Milestone:
    Component:  Firefox Patch Issues  |    Version:
   Resolution:                        |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |
--------------------------------------+-----------------

Comment (by mikeperry):

 First, remember that TBB pulls in a *lot* of code from all over your
 system. It is dependent on a ton of libraries, display manager code, and
 interacts with other apps on your desktop all the time through X11 event
 monitoring and other mechanisms.

 Further, at the end of the day, I want the default experience to be
 maximally usable, but of course not at the expense of any known proxy
 bypass or deanonymization issues.. If there was a solid, known security
 reason not to load Flash, I would be more convinced that it was worth
 impeding UX. But the Firefox plugin blocker has shown no signs of being
 incomplete, nor has flash shown any signs of being malicious in its
 interaction with the Firefox address space.

 *However*, it does sound like we're getting closer to a situation where we
 can have both decent UX and satisfy this request. If we can touch up this
 patch a bit to also add a button in the Addons->Plugins UI such that users
 can enable plugins by clicking on that button (in addition to via the
 Torbutton settings), this does seem like a reasonable user experience,
 especially since it would appear to no longer require restarting the
 browser to load+enable Flash (which was a key aspect of my initial
 opposition).

 The other thing we can (perhaps also?) do is make this part of one of the
 positions on the security slider from #9837.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10280#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list