[tbb-dev] MOZ_DISABLE_NONLOCAL_CONNECTIONS
Tom Ritter
tom at ritter.vg
Mon Mar 19 21:01:55 UTC 2018
I mentioned in IRC today that the Mac Sandbox in 60 at least (but
possibly also in 52!!) blocks network access.
I got added to https://bugzilla.mozilla.org/show_bug.cgi?id=1281296
today, which talks about Linux, and is promising!
And finally there's Windows, which is blocked by
https://bugzilla.mozilla.org/show_bug.cgi?id=1432303 at least
(possibly some others.)
-tom
On 15 March 2018 at 17:04, Nicolas Vigier <boklm at mars-attacks.org> wrote:
> On Thu, 15 Mar 2018, Tom Ritter wrote:
>
>> 45 seconds ago I just learned about the environment variable
>> MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing
>> environment. It feeds through to one real location in the browser:
>> nsSocketTransport2
>> https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08238011/netwerk/base/nsSocketTransport2.cpp#1297
>>
>> This isn't a sandbox. If an attacker has code execution (parent or
>> content process) they can make network connections manually from
>> system libraries and will never touch this code. But it might be a way
>> to add (some) assurance about browser features accidentally bypassing
>> the proxy.
>>
>> So I'm wondering if this is something Tor Browser can set for defense
>> in depth. In fact, it's already in esr52:
>> https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisabled
>> I tried to get Tor Browser to unset the proxy but couldn't seem to
>> get it to work; is there a patch that prevents this?
>
> Even if it doesn't add a lot of protection, it doesn't cost a lot to
> enable it, so it sounds like a good idea.
>
>
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
>
More information about the tbb-dev
mailing list