Did you consider to place the filters file directly inside the Firefox profile? Dunno if that is possible.
It is possible but it doesn’t solve the issue - it is not possible to use
file:// URI scheme as an URL from which to refresh the filter lists. It must be
Good point. Did you verify there is no such issue on .2?
The socks proxy is only on .1, right? What issue is expected to exist on .2?
I linked to that in the OP (just using the .onion domain), i.e. I am aware of it and it works, but it is recommended against.
In the setup I am building:
- The handcrafted policy.json enforces Safest mode by default
- JS is disabled through user.js
- JS is disabled through uBO
- all 3rd party stuff (including 3rd party scripts) are disabled in uBO
The user is still free to re-enable each of those but one must do it explicitly and consciously, going through multiple steps (deliberately difficult). Even so, the setup allows granular control through uBO (e.g. to/not run 3rd party JS, fonts etc), additionally blocking known bad stuff (what the filter lists are for).
The configured exception means a small trade-off in privacy, but it is much safer than using another browser (see Local Connections Exception Threat Analysis).
Oh, that. Of course, I have read it too before opening the thread. As clarified in the OP, I am looking for a safe solution which would not introduce additional threat. I don’t mean another browser. I mean a safe solution within Tor Browser.
I don’t know how JS can “scan internal networks, fingerprint devices, and make malicious commands to those devices if they have a web interface”, as described in the linked bug report, on a Whonix-Qubes system. The Whonix gateway connects to sys-firewall and that’s all, right? What internal networks and devices are we actually considering?
In context of local connections, quote:
So if you can disable JS + allow local connections in Tor Browser according to latest understanding there is no issue.
As clarified above, JS will be off by default. However, the user should still be able to explicitly enable it selectively, which is a case that supposedly no longer belongs in the completely non-issue category, yet we should consider the actual environment: Whonix + Qubes.
I am thinking how exactly a malicious JS can exploit the described XY and what it can do.
It will need to bypass uBO’s protection (blocking all 3rd party requests by default)
It will need to bypass sys-whonix and sys-firewall to scan local network.
IMO, we can simply wish “good luck” to such script.
Perhaps it makes sense to consider a scenario of a website JS considering the actual system - Tor Browser in a diposable.
It may need a combination of browser bugs allowing the malicious script to bypass the protection of uBO, e.g. through a buggy browser API in combination with buggy built-in browser security. If that is possible, what exactly can such JS do? Read the filter files/names, then leak info about them to entity X, thus fingerprinting the user?
If that is the supposed anti-privacy attack, it must consider and target factors like:
- the exact browser and extension setup
- the exact time frame of the potential combination of bugs
- the fact that this is all running in a disposable where the filter lists may be different in a day (or even after an hour), i.e. non-persistent data
That seems to rather fall in the category theoretical and very unlikely, kind of AI-over-JS level. What do you think?