[Feature Request] Environment Variable to set security slider level

Hi it would be really neat if the Tor Browser security level can be set via an environment variable so we can give Whonix users more protection by default. If this is already implemented please let me know.

added component::applications/tor browser in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac resolution::wontfix in Legacy / Trac severity::normal in Legacy / Trac status::closed in Legacy / Trac type::enhancement in Legacy / Trac labels

Trac:
Owner: N/A to tbb-team
Component: Applications to Applications/Tor Browser

Why is it not enough to just set the desired slider level in a prefs file that you ship in the browser profile (anyway)?

Trac:
Status: new to needs_information

The very root issue still is the absence of a Debian package for Tor Browser. (legacy/trac#3994 (moved) and/or legacy/trac#5236 (moved))

If there was a stable drop-in (.d) folder as there is /etc/firefox-esr/ for Firefox in Debian that only changes between major release upgrades (jessie -> stretch), that would be a perfect solution.

Experience tells, that the folder structure of TBB changes over time. Therefore a file based solution easily breaks after an upgrade or installation of a newer version of TBB.

Therefore, everything that can be configured by environment variable works very easy, stable and long term for Whonix.

How are you shipping Tor Browser to your users right now? Do you include a user profile?

With default settings unchanged at the moment.

We are thinking about shipping a(n optionally used) custom profile in the future to disable the no.proxy setting for localhost daemon access but its likely a brittle solution as TBB changes over time?

What happens to the newly added prefs in TBB proper if we use an older profile doc missing these booleans? Are the TBB ones applied as long as they are not contradicted?

Replying to gk:

How are you shipping Tor Browser to your users right now? Do you include a user profile?

Download, verify, extract. No modifications besides environment variables. That's it in essence. More info: legacy/trac#19652 (moved)

I think using the prefs approach is the one you should pursue right now. Shipping an own profile with customizations won't go away in the forseeable future.

Trac:
Resolution: N/A to wontfix
Status: needs_information to closed

Replying to gk:

I think using the prefs approach is the one you should pursue right now.

This is the user.js

https://github.com/Whonix/tb-starter/blob/master/usr/share/torbrowser/security-slider-highest.js

which we ended up using.

Relevant settings:

user_pref("extensions.torbutton.inserted_security_level", true);
user_pref("extensions.torbutton.security_slider", 1);

It will be copied to $tb_browser_folder/Browser/TorBrowser/Data/Browser/profile.default/user.js for users who elect to enable this. Functional.

Does look alright?

Might be a trigger for legacy/trac#31798 (moved)?

closed

moved from legacy/trac#25391 (moved)

added Feature label and removed 1 deleted label

removed 1 deleted label