#29916: Group Policies for Firefox can bypass Tor Browser's proxy settings
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status:
| needs_review
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-proxy-bypass, | Actual Points:
TorBrowserTeam201904R, tbb-8.5-must-alpha |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* status: needs_information => needs_review
* keywords: tbb-proxy-bypass, TorBrowserTeam201904, tbb-8.5-must-alpha =>
tbb-proxy-bypass, TorBrowserTeam201904R, tbb-8.5-must-alpha
Comment:
Replying to [comment:8 tom]:
> No, the pref should be enough. I was suggesting revert the other one to
carry one less customization.
>
> Policy support will be screwy though. As this issue illustrates, if you
enable policy support, you will pick up a policy for Firefox, if it's
present in certain locations, rather than a Tor Browser-specific policy.
If we wanted to support policies we probably should require them to be TB-
specific.
Fair enough. I've pushed `bug_29916`
(https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_29916)
to make the changes you suggested and have them up for review. However, I
am still not convinced that this is the whole picture. In particular, I
feel those changes *do not* explain how the registry-based bypass is
working, given that the pref is only checked at one place and
`areEnterpriseOnlyPoliciesAllowed()` results in `false` for the stable
series, yet the bug report was made against 8.0.x.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29916#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
