gnuzilla-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IceCat's devtools.debugger.remote-enabled = true & uMatrix

From: Mark H Weaver
Subject: Re: IceCat's devtools.debugger.remote-enabled = true & uMatrix
Date: Fri, 19 Jun 2020 17:28:51 -0400 
Hi Konstantin,

Konstantin Sudakov <costos@gmail.com> wrote:
> I was wondering what would be the rationale behind leaving
> "devtools.debugger.remote-enabled" set to TRUE in a heavily
> privacy-oriented browser.

I've not considered that option before now.  Can you explain your
understanding of what that option does, and why it's a problem for
privacy?

I see that it was mentioned in Tor ticket 16222 (Review networking code
for Firefox 38) about 5 years ago, but it looks to me like they were
concerned about it based solely on its name, without having looked into
what it actually does.

  https://trac.torproject.org/projects/tor/ticket/16222

More importantly, they appear to have ultimately left the option
unchanged.  Tor Browser 9.0 and 9.5, at least, do not change the default
value of that option as far as I can tell.  The changes to option
defaults for Tor Browser are normally in
browser/app/profile/000-tor-browser.js, and it's not in there:

  
https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-68.9.0esr-9.5-1-build2

More convincingly, the string "remote-enabled" does not appear anywhere
in the diffs between Tor Browser 9.0 and IceCat 68.3, which I computed
last December.

According to

  
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Debugging_JavaScript

, incoming connections to the debugger must be accepted by the user if
"devtools.debugger.prompt-connection" is set to true, which it is, by
default.

Do you have reason to believe that this option is problematic?

> Also, uMatrix extension is easier, more flexible, advanced and effective
> than TPRB. Could that also be packaged into IceCat?

Possibly.  It would need to be investigated by someone that we trust, to
make sure that it satisfies our requirements.

To begin with, I see that <https://directory.fsf.org/wiki/UMatrix>
quotes Raymond Hill as saying that "UMatrix must be considered
incompatible with NoScript".  That makes me wonder about its
compatibility with LibreJS.  How much testing have you done with both
LibreJS and UMatrix enabled?  Do they work well together in your
experience?

     Thanks,
       Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]