Reject Android "open in Tor Browser" intent
This came to my attention because of an hackerone report.
The "open in Tor Browser" intent can be used in TBA to evade iframe sandbox restrictions, as illustrated by this PoC (a modified version of the reporter's).
The sandbox evasion does not work in-browser on Firefox (anymore?), likely because of side effects in changes occurred since 115.
The reporter mistakenly used firefox: instead of fenix: as the protocol, therefore they believe the bug affects exclusively the Tor Browser, but the sandbox evasion does work on Firefox as well if the intent is triggered cross-app (e.g. by clicking the fenix: PoC from Tor Browser).
Therefore 3 (non mutually exclusive) options:
- We try to replicate Firefox's changes since ESR to fix the in-browser sandbox evasion in TBA, or wait for the next ESR to the same effect
- We open an upstream bug for the cross-app evasion, which affects both TBA and latest Firefox
- We completely reject the "open in Tor Browser" intent, because - beside the sandbox evasion - it seems a blatant linkability issue to me.
Personally I'd start with n. 3, possibly backporting to next 115-based stable if any, so we've got a double fix for us and we can let Mozilla folks take their time on n. 2 (n. 1 would be moot for us at that point).