[tor-bugs] #7248 [Firefox Patch Issues]: Review+Audit Firefox 16 and 17 for next FF ESR release
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 7 01:16:09 UTC 2013
#7248: Review+Audit Firefox 16 and 17 for next FF ESR release
-----------------------------------------+----------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: task | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-rebase MikePerry201302d | Parent:
Points: | Actualpoints:
-----------------------------------------+----------------------------------
Comment(by mikeperry):
Here's the results of the audit so far:
During the network audit, I noticed that WebRTC snuck in, and seems to get
built. Not sure if it is exposed to content yet, but it has code to
initiate UDP sockets independent of the proxy settings. I filed #8178 to
disable it (it has a build flag, thankfully). Everything else seems solid
and more or less the same wrt networking.
CSS calc, currentColor, and scrollMax all seem benign. Calc supports
numbers (pixels and percents) only. The Idle API was disabled at the last
minute for normal content, but is still available to "WebApps" and
extensions.
As for the other WebAPP APIs and WebApps in general, I am conflicted over
disabling them vs allowing them but recommending against them in the FAQ
(similar to what we do with extensions). If we decide to disable them, it
looks like that is also just a build flag (--disable-webapp-runtime).
The Social API appears to be disabled by default through the pref
'social.enabled'. It has a whitelist with facebook in it
('social.activation.whitelist'), but a false value for the
'social.enabled' pref appears to override the whitelist.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7248#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list