[tor-bugs] #7248 [Firefox Patch Issues]: Review+Audit Firefox 16 and 17 for next FF ESR release

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 7 01:16:09 UTC 2013


#7248: Review+Audit Firefox 16 and 17 for next FF ESR release
-----------------------------------------+----------------------------------
 Reporter:  mikeperry                    |          Owner:  mikeperry
     Type:  task                         |         Status:  new      
 Priority:  major                        |      Milestone:           
Component:  Firefox Patch Issues         |        Version:           
 Keywords:  tbb-rebase MikePerry201302d  |         Parent:           
   Points:                               |   Actualpoints:           
-----------------------------------------+----------------------------------

Comment(by mikeperry):

 Here's the results of the audit so far:

 During the network audit, I noticed that WebRTC snuck in, and seems to get
 built. Not sure if it is exposed to content yet, but it has code to
 initiate UDP sockets independent of the proxy settings. I filed #8178 to
 disable it (it has a build flag, thankfully). Everything else seems solid
 and more or less the same wrt networking.

 CSS calc, currentColor, and scrollMax all seem benign. Calc supports
 numbers (pixels and percents) only. The Idle API was disabled at the last
 minute for normal content, but is still available to "WebApps" and
 extensions.

 As for the other WebAPP APIs and WebApps in general, I am conflicted over
 disabling them vs allowing them but recommending against them in the FAQ
 (similar to what we do with extensions). If we decide to disable them, it
 looks like that is also just a build flag (--disable-webapp-runtime).

 The Social API appears to be disabled by default through the pref
 'social.enabled'. It has a whitelist with facebook in it
 ('social.activation.whitelist'), but a false value for the
 'social.enabled' pref appears to override the whitelist.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7248#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list