[tor-bugs] #14970 [Tor Browser]: Don't allow third parties to block our own Tor Browser extensions
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 13 18:23:13 UTC 2016
#14970: Don't allow third parties to block our own Tor Browser extensions
-------------------------------------------------+-------------------------
Reporter: gk | Owner: gk
Type: enhancement | Status:
Priority: Medium | needs_review
Component: Tor Browser | Milestone:
Severity: Normal | Version:
Keywords: ff45-esr, tbb-security, tbb-6.0a5, | Resolution:
TorBrowserTeam201604R, GeorgKoppen201604 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by mcs):
Kathy and I review your patch and have two comments:
1. Are you sure you need the pref override? In ESR45,
browser/app/profile/firefox.js already has:
pref("xpinstall.signatures.required", true);
2. I think we may need to add whitelisting inside
processPendingFileChanges() in XPIProvider.jsm near the call to
mustSign(). If I remember correctly, processPendingFileChanges() will be
called after an update and we want to ensure that our extensions are not
blocked (since #13252 landed, our extensions are copied out of the .app
into the user's profile after each update on Mac OS).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14970#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list