[tbb-bugs] #33939 [Applications/Tor Browser]: Decide which components of Fenix to rip out, disable, or use

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 11 02:32:22 UTC 2020


#33939: Decide which components of Fenix to rip out, disable, or use
----------------------------------------------+----------------------------
 Reporter:  gk                                |          Owner:  tbb-team
     Type:  task                              |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser          |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:  tbb-mobile, TorBrowserTeam202006  |  Actual Points:
Parent ID:  #33661                            |         Points:
 Reviewer:                                    |        Sponsor:
                                              |  Sponsor58-must
----------------------------------------------+----------------------------

Comment (by sysrqb):

 Replying to [comment:3 sysrqb]:
 > The follow list partitions the dependencies into "include", "exclude",
 "disable", and "must-audit" sets
 >
 > "Must Audit" includes dependencies that we could allow depending on
 their implementation
 >
 > "Disable" includes dependencies that we probably do not want and we
 should always use "Dummy" implementations
 >
 > "Disable" and "Exclude" may merge into a single set.
 >
 > === Include ===
 > {{{
 > > # GeckoView
 > > mozilla_browser_engine_gecko_nightly -> org.mozilla.components
 :browser-engine-gecko-nightly
 > > mozilla_browser_engine_gecko_beta -> org.mozilla.components:browser-
 engine-gecko-beta

 #34177

 > {{{
 > >
 > > # Kotlin std library
 > > kotlin_stdlib -> org.jetbrains.kotlin:kotlin-stdlib-jdk7
 > >
 > > # Import/enable coroutine functionality in Kotlin
 > > kotlin_coroutines -> org.jetbrains.kotlinx:kotlinx-coroutines-core
 > > kotlin_coroutines_android -> org.jetbrains.kotlinx:kotlinx-coroutines-
 android
 > >
 > > # AndroidX compatibility libraries
 > > androidx_appcompat -> androidx.appcompat:appcompat
 > > androidx_constraintlayout ->
 androidx.constraintlayout:constraintlayout
 > > androidx_coordinatorlayout ->
 androidx.coordinatorlayout:coordinatorlayout

 Presumed safe.

 > {{{
 > >
 > > # Dynamically (?) creates license list
 > > osslicenses_library -> com.google.android.gms:play-services-oss-
 licenses

 It seems like `play-services-oss-licenses` is closed source? :(

 The [https://github.com/google/play-services-plugins/tree/oss-licenses-
 plugin-v0.9.5/oss-licenses-
 plugin/src/main/groovy/com/google/android/gms/oss/licenses/plugin plugin]
 seems fine and is a gradle build-time thing. As I understand it, the
 plugin grabs all of the `<license>` elements from the dependencies and
 places them in some-format in `res/raw/third_party_license_metadata`.
 Then, `com.google.android.gms.oss.licenses.OssLicensesMenuActivity` takes
 that `third_party_license` file and renders it. Therefore, `play-services-
 oss-licenses` *should* be proxy-safe, but I'd feel better if we could
 audit the code.

 > {{{
 > >
 > > # High-level descriptions/contracts of a browser engine
 > > mozilla_concept_engine -> org.mozilla.components:concept-engine

 No references to `net`, `tcp`, `udp`, `write`, `read`, `send`, `recv`,
 `launch`, `startActivity`. `Uri` is only used for parsing a string.
 `write` used for serializing data (in memory). `connect` in
 `Engine::speculativeConnect()` interface.
 > {{{
 > >
 > > # High-level descriptions/contracts of a storage layer
 > > mozilla_concept_storage -> org.mozilla.components:concept-storage

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `launch`, `startActivity`.

 > {{{
 > >
 > > # High-level descriptions/contracts of a browser toolbar
 > > mozilla_concept_toolbar -> org.mozilla.components:concept-toolbar

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `launch`, `startActivity`.

 > {{{
 > >
 > > # High-level descriptions/contracts of a tabs tray component
 > > mozilla_concept_tabstray -> org.mozilla.components:concept-tabstray

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `launch`, `startActivity`.

 > {{{
 > >
 > > # A customizable Awesome Bar implementation for browsers
 > > mozilla_browser_awesomebar -> org.mozilla.components:browser-
 awesomebar

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `startActivity`. `launch` used for coroutines.

 > {{{
 > >
 > > # APIs for managing localized and customizable domain lists
 > > mozilla_browser_domains -> org.mozilla.components:browser-domains

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `startActivity`. `launch` used for coroutines.

 > {{{
 > >
 > > # A customizable tabs tray for browsers implementation
 > > mozilla_browser_tabstray -> org.mozilla.components:browser-tabstray

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `launch`, `startActivity`.

 > {{{
 > >
 > > # A generic menu implementation with customizable items
 > > mozilla_browser_menu -> org.mozilla.components:browser-menu

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `startActivity`. `launch` used for coroutines.

 > {{{
 > >
 > > # Search plugins and companion code to load, parse and use them
 > > mozilla_browser_search -> org.mozilla.components:browser-search

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `send`,
 `recv`, `startActivity`. `launch` used for coroutines. `Uri` is used for
 local Search Engine files.

 > {{{
 > >
 > > # A generic representation of a browser Session and a SessionManager
 to link browser sessions to underlying Engine Sessions and SessionStorage
 > > mozilla_browser_session -> org.mozilla.components:browser-session

 No references to `net`, `connect`, `tcp`, `udp`, `send`, `recv`,
 `startActivity`. `write` and `read` used for reading/writing session
 history/state files. `load` for receiving load requests from the OS. `Uri`
 is only used for parsing a string. #34427

 > {{{
 > >
 > > # A customizable toolbar for browsers
 > > mozilla_browser_toolbar -> org.mozilla.components:browser-toolbar

 No references to `net`, `tcp`, `udp`, `write`, `read`, or `Uri`. `connect`
 is used for setting `ConstraintSet` for the UI. `launch` used for
 coroutines.

 > {{{
 > >
 > > # Contains building blocks for features implemented as web extensions
 > > mozilla_support_extensions -> org.mozilla.components:support-
 webextensions


 No references to `net`, `tcp`, `udp`, `write`, `read`, `Uri`, `recv`,
 `launch`, `startActivity`. `connect` used for
 [https://developer.mozilla.org/en-US/docs/Mozilla/Add-
 ons/WebExtensions/API/runtime/connectNative NativeMessaging]. `send` for
 sending messages from a webextension into Content.

 > {{{
 > >
 > > # Provides functionality for managing add-ons
 > > mozilla_feature_addons -> org.mozilla.components:feature-addons

 No references to `net`, `connect`, `tcp`, `udp`, `Uri`, `send`, `recv`,
 `startActivity`. `read`/`write` used for caching on disk a list of
 installed addons. The AddOn's feature periodically triggers an update
 check which is handled by Gecko. `launch` used for coroutines.

 > {{{
 > >
 > > # Ties together an FxaAccountManager with the tabs feature, to
 facilitate OAuth authentication flows managed by the account manager
 > > mozilla_feature_accounts -> org.mozilla.components:feature-accounts

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `send`,
 `recv`, `launch`, `startActivity`. `Uri` is only used for parsing a
 string. `launch` used for coroutines.

 > {{{
 > >
 > > # Connects a concept-awesomebar implementation to a concept-toolbar
 implementation and provides implementations of various suggestion
 providers
 > > mozilla_feature_awesomebar -> org.mozilla.components:feature-
 awesomebar

 No references to `net`, `tcp`, `udp`, `write`, `read`, `Uri`, `send`,
 `recv`, `launch`, `startActivity`. `ClipboardSuggestionProvider` triggers
 a `speculativeConnect` when a suggestion is created. Nifty.
 > {{{
 > >
 > > # Displaying context menus when *long-pressing* web content
 > > mozilla_feature_contextmenu -> org.mozilla.components:feature-
 contextmenu

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `recv`, `launch`. `startActivity` is called when "Share link" transfers
 control to the operating system with a request to show the user a
 "Chooser" menu. `send` comes with `sendSearch()` where a search query is
 initiatiated based on text selection (when the user requests the search).

 > {{{
 > >
 > > # Providing Custom Tabs functionality in browsers
 > > mozilla_feature_customtabs -> org.mozilla.components:feature-
 customtabs

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `recv`.
 `Uri` is used for parsing a string, and it is passed to Android OS for
 letting the OS (or user) to choose which app should open/handle that
 request. `launch` used for coroutines. `send` from `sendWithSession` for
 mutating a PendingIntent with a session's Uri.

 #34428

 DigitalAssetLinksHandler triggers [https://developers.google.com/digital-
 asset-links/reference/rest/v1/assetlinks/check background request].

 #34429
 #21657
 > {{{
 > >
 > > # Provides website media related features
 > > mozilla_feature_media -> org.mozilla.components:feature-media

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `Uri`,
 `send`, `recv`, `startActivity`. `launch` used for coroutines, and
 creating a PendingIntent for itself that is used when a notification is
 pressed. And MediaService?

 > {{{
 > >
 > > # Handles common prompt dialogs from web content like select, option
 and menu html elements
 > > mozilla_feature_prompts -> org.mozilla.components:feature-prompts

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `send`,
 `recv`. `startActivity` is an abstract function. Also, `startActivity` is
 called for launching a Camera app ("capture"). `Uri` is used for passing
 around file paths.
 #33661

 > {{{
 > >
 > > # Connects an (concept) engine implementation with the browser search
 module
 > > mozilla_feature_search -> org.mozilla.components:feature-search

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `recv`,
 `Uri`, `launch`, `startActivity`. `send` is seen:
 {{{
 /**
  * May be implemented by client code in order to allow a component to
 start searches.
  */
 interface SearchAdapter {

     /**
      * Called by the component to indicate that the user should be shown a
 search.
      */
     fun sendSearch(isPrivate: Boolean, text: String)
 }}}

 > {{{
 > >
 > > # Connects an (concept) engine implementation with the browser session
 module
 > > mozilla_feature_session -> org.mozilla.components:feature-session

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `send`, `read`,
 `recv`, `launch`, `startActivity`. `Uri` is used for saving history state.

 #34431

 > {{{
 > >
 > > # Connects a (concept) toolbar implementation with the browser session
 module
 > > mozilla_feature_toolbar -> org.mozilla.components:feature-toolbar

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `recv`,
 `Uri`, `startActivity`. `send` and `launch` used for coroutines.

 > {{{
 > >
 > > # Connects a trabs tray implementation with the session and toolbar
 modules
 > > mozilla_feature_tabs -> org.mozilla.components:feature-tabs

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `recv`,
 `Uri`, `send`, `launch`, `startActivity`

 > {{{
 > >
 > > # Provides Find in Page functionality
 > > mozilla_feature_findinpage -> org.mozilla.components:feature-
 findinpage

 No references to `net`, `connect`, `tcp`, `udp`, `write`, `read`, `recv`,
 `Uri`, `send`, `launch`, `startActivity`

 (I'll finish the remainder tomorrow, and begin auditing/eliminating
 dependencies from Must Audit)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33939#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list