Waterfox: Privacy Patch: Don't expose navigator.AddonManager to content (from tor browser)
While other Tor privacy patches and commits exist, this one is yet another that will prevent "privileged" sites from getting a list of our installed addons. This one doesn't seem to be slated for upstream use in Firefox mainline yet.
There are others like this one that would be beneficial since most are used with options, IE the one that allows setting the max number of fonts used per page.
https://gitweb.torproject.org/tor-browser.git/patch/?id=5493716
With https://bugzilla.mozilla.org/show_bug.cgi?id=1245571 support for
websites to learn about installed add-ons landed. Currently, this is
only enabled for AMO related sites but we don't think this functionality
is something we want for Tor Browser as it might aid in fingerprinting
users.The patch does not outright disable access to the API. Privileged code
is still able to use it if needed. This should help with usability
issues should they arise while mitigating possible fingerprinting and
security problems by having this API available to content.
ilikenwf
All 6 comments
Will look into this as well. Will probably remove it as we move away from the AMO.
MrAlex94
on 4 Sep 2017
Nice - so you're going to start hosting the "full" addons eventually?
Either way there are lots of tor browser commits we could probably fit into
Waterfox as many of them just harden privacy and security without breaking
any functionality.
On Mon, Sep 4, 2017 at 8:41 PM, Alex Kontos notifications@github.com
wrote:
Will look into this as well. Will probably remove it as we move away from
the AMO.—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/MrAlex94/Waterfox/issues/204#issuecomment-327025736,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAZUOpF4999YNovMCAqSlJfQLTklBreJks5sfGBmgaJpZM4PLHr6
.
ilikenwf
on 5 Sep 2017
@MrAlex94 in v68 we should default privacy.resistFingerprinting.block_mozAddonManager to true as they added a hidden pref for it.
This and many other things are already set in the ghacks user.js file - it would be nice to see some kind of integration of that project and the user-overrides method someday...
Until then a few of my tickets could probably be solved using settings from ghacks user.js
ilikenwf
on 8 Jun 2019
in v68 we should default privacy.resistFingerprinting.block_mozAddonManager to true as they added a hidden pref for it.
Just to point out, Waterfox 56 has this pref too - https://github.com/MrAlex94/Waterfox/pull/449
laniakea64
on 8 Jun 2019
I guess we can leave it open so we can default both.
ilikenwf
on 9 Jun 2019
in v68 we should default privacy.resistFingerprinting.block_mozAddonManager to true
Unfortunately it looks like making this default isn't viable. Apparently that broke AMO for some Mac OS users - https://github.com/MrAlex94/Waterfox/issues/1350
laniakea64
on 27 Jan 2020
Related issues
foreachthing
·
3Comments
RaitaroH
·
3Comments
514guy
·
3Comments
empimp
·
4Comments
zakius
·
4Comments
Most helpful comment
Just to point out, Waterfox 56 has this pref too - https://github.com/MrAlex94/Waterfox/pull/449