[tor-bugs] #14970 [Tor Browser]: Don't allow third parties to block our own Tor Browser extensions
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 14 09:53:31 UTC 2016
#14970: Don't allow third parties to block our own Tor Browser extensions
-------------------------------------------------+-------------------------
Reporter: gk | Owner: gk
Type: enhancement | Status:
Priority: Medium | needs_review
Component: Tor Browser | Milestone:
Severity: Normal | Version:
Keywords: ff45-esr, tbb-security, tbb-6.0a5, | Resolution:
TorBrowserTeam201604R, GeorgKoppen201604 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:13 mcs]:
> Kathy and I review your patch and have two comments:
> 1. Are you sure you need the pref override? In ESR45,
browser/app/profile/firefox.js already has:
> pref("xpinstall.signatures.required", true);
Ah, correct. I misremembered the discussion regarding this preference on
the mozilla enterprise mailing list (that one was actually about whether
that preference stays while it is going to get removed soon in vanilla
Firefox code). I removed that part
> 2. I think we may need to add whitelisting inside
processPendingFileChanges() in XPIProvider.jsm near the call to
mustSign(). If I remember correctly, processPendingFileChanges() will be
called after an update and we want to ensure that our extensions are not
blocked (since #13252 landed, our extensions are copied out of the .app
into the user's profile after each update on Mac OS).
Good catch and I think you are right. My bug_14970_v5
(https://gitweb.torproject.org/user/gk/tor-
browser.git/commit/?h=bug_14970_v5&id=d65c317a541615545f8eeba6c85c05ca468e490a)
should have the fixes.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14970#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list