[tor-bugs] #29916 [Applications/Tor Browser]: Group Policies for Firefox can bypass Tor Browser's proxy settings

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 1 14:03:44 UTC 2019 

#29916: Group Policies for Firefox can bypass Tor Browser's proxy settings
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-proxy-bypass,                    |  Actual Points:
  TorBrowserTeam201904R, tbb-8.5-must-alpha      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_information => needs_review
 * keywords:  tbb-proxy-bypass, TorBrowserTeam201904, tbb-8.5-must-alpha =>
     tbb-proxy-bypass, TorBrowserTeam201904R, tbb-8.5-must-alpha


Comment:

 Replying to [comment:8 tom]:
 > No, the pref should be enough. I was suggesting revert the other one to
 carry one less customization.
 >
 > Policy support will be screwy though. As this issue illustrates, if you
 enable policy support, you will pick up a policy for Firefox, if it's
 present in certain locations, rather than a Tor Browser-specific policy.
 If we wanted to support policies we probably should require them to be TB-
 specific.

 Fair enough. I've pushed `bug_29916`
 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_29916)
 to make the changes you suggested and have them up for review. However, I
 am still not convinced that this is the whole picture. In particular, I
 feel those changes *do not* explain how the registry-based bypass is
 working, given that the pref is only checked at one place and
 `areEnterpriseOnlyPoliciesAllowed()` results in `false` for the stable
 series, yet the bug report was made against 8.0.x.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29916#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list