[tbb-bugs] #21685 [Applications/Tor Browser]: Remote New Tab pages have access to internal browser APIs in Firefox 52
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 12 08:38:08 UTC 2017
#21685: Remote New Tab pages have access to internal browser APIs in Firefox 52
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status:
| needs_review
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-7.0-must-alpha, | Actual Points:
TorBrowserTeam201705R |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):
* status: new => needs_review
* keywords: ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705 =>
ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705R
Comment:
The `browser.newtabpage.remote` pref is set to false in Firefox 52ESR by
default. I looked at the relevant code and tried toggling the pref
manually and I am convinced that remote pages are disabled in new tabs
when the pref is false. So I don't think we need to worry about these
additional APIs being accessed by remote pages.
We can also set the pref to false ourselves (redundantly) to be sure this
doesn't change in the future. Here's a patch that does that:
https://github.com/arthuredelstein/tor-browser/commit/21685
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21685#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list