[tor-bugs] #22910 [Applications/Tor Browser Sandbox]: Deprecate the extra codecs/volatile extension dir options
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 13 02:30:14 UTC 2017
#22910: Deprecate the extra codecs/volatile extension dir options
--------------------------------------------------+---------------------
Reporter: yawning | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------------------+---------------------
Having massive "foot + gun" options in general is bad practice.
The extra codecs will expose ffmpeg to the browser container, which is a
concrete increase in attack surface for questionable gain (gstreamer is
never allowed).
The volatile extension dir gives firefox more write access than what
anyone that's vaguely security conscious should be comfortable with, to
critical browser components, and there's the ongoing `about:addons`
fisasco.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22910>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list