Guardian project references proprietary google WebAuthN lib in Firefox?

A common note at the end of f-droid repos states any non-free components.
The guardian project’s f-droid repo states the TBB has one such issue.

“About the Anti-Features In order to support WebAuthn, Firefox includes a proprietary Google library. Tor Browser inherited this change.”
I was not able to find any reference to this on Mozilla’s site, bug reports, etc.
I was also not able to find any reference to this on the Tor Project’s gitlab issues.
I saw that TBB disabled webauthn for a while, but now has it enabled.
Is Mozilla/Firefox including a proprietary blob library?
Or, is the inclusion more benign in the form of an iffy, but still open source licensed library.

2 Likes

Here it is:

Commit for disabling webauthn feature in tor-browser-60.1.0esr-8.0-1 is here:

I see the same line in tor-browser-91.12.0esr-12.0-1:

In what version you see it enabled?

1 Like

All of these are for non-android Tor Browser. On the gitlab applications/ fenix and android-components or for Android.

I can’t find anything when searching for “webauth” in issues or MR in fenix and android-components.

1 Like

Here is the issue from fenix

, which was later moved to

and closed with comment “I’m considering this as covered by #26614

I thought it means that fenix problem is solved with commits from 26614.
Looks like I was wrong.
But then comes question why issue was moved, closed, but not fixed.

Perhaps I’m misunderstanding, but this library is included at compile time, right?
Is that not a bigger deal than is being made of it, by merely disabling?
Would disabling merely disable, or prevent compile-time inclusion?
My understanding is that this is the only binary blob in Firefox itself?
I thought Firefox was shipping a fully open source web browser…
I’m surprised there has not been more protest and bad press on this point.

1 Like

Ok, so I guess this google library is just included android Firefox and Tor browser, but not desktop?
I guess Mozilla implemented it themselves for desktop versions?
F-droid is also discussing the issue:

1 Like

I think it would be better to remove or at least disable it, people question its conclusion of izzysoft.de also. Is there any possibilities of that @championquizzer @PieroV

Hello, thanks for reaching.

I can find this in browser/app/profile/001-base-profile.js:

pref("security.webauth.webauthn", false); // Bug 26614: Disable Web Authentication API for now

And this in mobile/android/app/000-tor-browser-android.js

// Disable WebAuthn. It requires Google Play Services, so it isn't
// available, but avoid any potential problems.
pref("security.webauth.webauthn_enable_android_fido2", false);

So, it is disabled at the moment, unless there are other preferences I am missing.

However, I agree that having Tor Browser unencumbered by proprietary dependencies would be better.
I will talk about it in this afternoon’s public meeting, to see if we can assign a priority, and reopen the linked issues, if needed.

5 Likes

Thank you for clarifying, it is much appreciated

Just cross-linking this directly related discussion, for everyone’s reference:

1 Like

Would it be considered as still safe to use at this point since pieroV believes its all disabled anyway? @PieroV

I think so.

We are planning of removing proprietary dependencies anyway, but we’re not taking it as a high priority task at the moment.

1 Like