[tor-bugs] #10280 [Applications/Tor Browser]: Torbrowser shouldn't load flash into the process space by default

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 26 01:21:14 UTC 2016


#10280: Torbrowser shouldn't load flash into the process space by default
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:
     Type:  enhancement                          |         Status:
 Priority:  Medium                               |  reopened
Component:  Applications/Tor Browser             |      Milestone:
 Severity:  Normal                               |        Version:
 Keywords:  tbb-testcase,                        |     Resolution:
  TorBrowserTeam201503R, tbb-firefox-patch,      |  Actual Points:
  tbb-4.5-alpha, MikePerry201503R                |         Points:
Parent ID:                                       |        Sponsor:
 Reviewer:                                       |
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):

 * cc: arthuredelstein (added)
 * status:  closed => reopened
 * resolution:  fixed =>
 * severity:   => Normal


Comment:

 I was examining this patch to see if we need to upstream any of it. But
 now I wonder if this patch is no longer needed in Tor Browser.

 Flash and all other plugins (with a couple of exceptions) appear (in my
 manual experiments) to be correctly excluded from Firefox if the pref
 "plugin.disable" is true. (I admit the code in `dom/plugins/base/*` is
 complex enough that it is hard to be absolutely sure there is no path
 where a plugin might be loaded.) The plugins are not listed in the Plugins
 section of about:addons and are not loaded. The only exceptions I see
 seems to be "built-in" add-ons such as "OpenH264 Video Codec provided by
 Cisco Systems, Inc." and "Widevine Content Decryption Module provided by
 Google Inc." These plugins are excluded from Tor Browser by disabling GMP
 and EME respectively.

 I might be missing something here -- but is there any advantage in
 including this patch any more? Perhaps the safest thing would be simply to
 hide the "Plugins" section in about:addons altogether, rather than giving
 users the option to "Enable" them.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10280#comment:49>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list