@@ -321,13 +321,9 @@ Proxy obedience is assured through the following:
...
@@ -321,13 +321,9 @@ Proxy obedience is assured through the following:
2.**Disabling plugins**
2.**Disabling plugins**
~Plugins, like Flash, have the ability to make arbitrary OS system calls and [bypass proxy settings](https://ip-check.info/). This includes the ability to make UDP sockets and send arbitrary data independent of the browser proxy settings.~
NPAPI plugins have been historically a major source of vulnerabilities and proxy bypasses, which the browser had specifically to deal with in the past.
~Torbutton disables plugins by using the `@mozilla.org/plugin/host;1` service to mark the plugin tags as disabled. This block can be undone through both the Torbutton Security UI, and the Firefox Plugin Preferences.~
Luckily enough, they have been deprecated since 2016 and [finally completely removed from Firefox in 2021](https://en.wikipedia.org/wiki/NPAPI#Firefox).
~If the user does enable plugins in this way, plugin-handled objects are still restricted from automatic load through Firefox's click-to-play preference `plugins.click_to_play`.~
~In addition, to reduce any unproxied activity by arbitrary plugins at load time, and to reduce the fingerprintability of the installed plugin list, we also patch the Firefox source code to prevent the load of any plugins except for Flash and Gnash. Even for Flash and Gnash, we also patch Firefox to prevent loading them into the address space until they are explicitly enabled.~
With [Gecko Media Plugins](https://wiki.mozilla.org/GeckoMediaPlugins) (GMPs) a second type of plugins is available. They are mainly third party codecs and [EME](https://www.w3.org/TR/encrypted-media/) content decryption modules. We currently disable these plugins as they either can't be built reproducibly or are binary blobs which we are not allowed to audit (or both). For the EME case we use the `--disable-eme` configure switch and set `browser.eme.ui.enabled`, `media.gmp-eme-adobe.visible`, `media.gmp-eme-adobe.enabled`, `media.gmp-widevinecdm.visible`, `media.gmp-widevinecdm.enabled`, `media.eme.enabled`, and `media.eme.apiVisible` to **false** to indicate to the user that this feature is disabled. For GMPs in general we make sure that the external server is not even pinged for updates/downloads in the first place by setting `media.gmp-manager.url.override` to `data:text/plain`, and avoid any UI with `media.gmp-provider.enabled` set to **false**. Moreover, we disable GMP downloads via local fallback by setting `media.gmp-manager.updateEnabled` to **false**. To reduce our attack surface we exclude the ClearKey EME system, too.
With [Gecko Media Plugins](https://wiki.mozilla.org/GeckoMediaPlugins) (GMPs) a second type of plugins is available. They are mainly third party codecs and [EME](https://www.w3.org/TR/encrypted-media/) content decryption modules. We currently disable these plugins as they either can't be built reproducibly or are binary blobs which we are not allowed to audit (or both). For the EME case we use the `--disable-eme` configure switch and set `browser.eme.ui.enabled`, `media.gmp-eme-adobe.visible`, `media.gmp-eme-adobe.enabled`, `media.gmp-widevinecdm.visible`, `media.gmp-widevinecdm.enabled`, `media.eme.enabled`, and `media.eme.apiVisible` to **false** to indicate to the user that this feature is disabled. For GMPs in general we make sure that the external server is not even pinged for updates/downloads in the first place by setting `media.gmp-manager.url.override` to `data:text/plain`, and avoid any UI with `media.gmp-provider.enabled` set to **false**. Moreover, we disable GMP downloads via local fallback by setting `media.gmp-manager.updateEnabled` to **false**. To reduce our attack surface we exclude the ClearKey EME system, too.
