commit cf526eb79d672f212175374af8b333e392aae916
parent 98096eaa898b375780a86d661749b988e1e6533d
Author: Beatriz Rizental <bea@torproject.org>
Date: Tue, 16 Sep 2025 18:28:05 +0200
TB 43107: Disable remoting by default
Unless the `--allow-remote` flag is provided when starting the
applicaton.
Also removes the support for the `--new-instance` flag which does a
similar job of disabling remoting, but only disables it for the current
instance.
Diffstat:
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp
@@ -313,6 +313,8 @@ static nsIProfileLock* gProfileLock;
#if defined(MOZ_HAS_REMOTE)
constinit static RefPtr<nsRemoteService> gRemoteService;
constinit static RefPtr<nsStartupLock> gStartupLock;
+// tor-browser#43107: Disable remoting by default.
+bool gDisableRemoting = true;
#endif
int gRestartArgc;
@@ -2093,7 +2095,7 @@ nsresult ScopedXPCOMStartup::SetWindowCreator(nsINativeAppSupport* native) {
/* static */ already_AddRefed<nsIRemoteService> GetRemoteService() {
AssertIsOnMainThread();
- if (!gRemoteService) {
+ if (!gRemoteService && !gDisableRemoting) {
gRemoteService = new nsRemoteService();
}
nsCOMPtr<nsIRemoteService> remoteService = gRemoteService.get();
@@ -2153,8 +2155,7 @@ static void DumpHelp() {
" --origin-to-force-quic-on <origin>\n"
" Force to use QUIC for the specified origin.\n"
#ifdef MOZ_HAS_REMOTE
- " --new-instance Open new instance, not a new window in running "
- "instance.\n"
+ " --allow-remote Accept and send remote commands.\n"
#endif
" --safe-mode Disables extensions and themes for this session.\n"
#ifdef MOZ_BLOCK_PROFILE_DOWNGRADE
@@ -3857,9 +3858,6 @@ class XREMain {
bool mStartOffline = false;
nsAutoCString mOriginToForceQUIC;
-#if defined(MOZ_HAS_REMOTE)
- bool mDisableRemoteClient = false;
-#endif
};
#if defined(XP_UNIX) && !defined(ANDROID)
@@ -4482,15 +4480,19 @@ int XREMain::XRE_mainInit(bool* aExitFlag) {
CheckArg("no-remote");
#if defined(MOZ_HAS_REMOTE)
- // Handle the --new-instance command line arguments.
- ar = CheckArg("new-instance");
- if (ar == ARG_FOUND || EnvHasValue("MOZ_NEW_INSTANCE")) {
- mDisableRemoteClient = true;
+ // tor-browser#43107: Drop the new-instance argument and environment
+ // variables. They are confusing, because they kinda disable remoting when
+ // it's already disabled in tor-browser.
+ //
+ // The user can still enable remoting if they want to, by adding the
+ // allow-remote parameter to the command line.
+ if (CheckArg("allow-remote") == ARG_FOUND) {
+ gDisableRemoting = false;
}
#else
// These arguments do nothing in platforms with no remoting support but we
// should remove them from the command line anyway.
- CheckArg("new-instance");
+ CheckArg("allow-remote");
#endif
#ifndef XP_WIN
@@ -4880,7 +4882,7 @@ int XREMain::XRE_mainStartup(bool* aExitFlag) {
#ifdef MOZ_HAS_REMOTE
if (gfxPlatform::IsHeadless()) {
- mDisableRemoteClient = true;
+ gDisableRemoting = true;
}
#endif
@@ -5002,8 +5004,10 @@ int XREMain::XRE_mainStartup(bool* aExitFlag) {
}
#endif
#if defined(MOZ_HAS_REMOTE)
- // handle --remote now that xpcom is fired up
- gRemoteService = new nsRemoteService();
+ if (!gDisableRemoting) {
+ // handle --remote now that xpcom is fired up
+ gRemoteService = new nsRemoteService();
+ }
if (gRemoteService) {
gRemoteService->SetProgram(gAppData->remotingName);
gStartupLock = gRemoteService->LockStartup();
@@ -5088,7 +5092,7 @@ int XREMain::XRE_mainStartup(bool* aExitFlag) {
if (NS_SUCCEEDED(rv)) {
gRemoteService->SetProfile(profilePath);
- if (!mDisableRemoteClient) {
+ if (!gDisableRemoting) {
// Try to remote the entire command line. If this fails, start up
// normally.
# ifdef MOZ_WIDGET_GTK
