Block all permissions by default

[ruihildt]

in Account:Preferences--> Privacy & Security --> Permissions ... I've always checked all the boxes in there to BLOCK, PREVENT, anything from occuring, e.g. my location, my camera, microphone, etc. ... only opening them when necessary - then rechecking them again immediately afterward.

Shouldn't Mullvad's new browser CHECK those permissions boxes as its default ??

[Thorin-Oakenpants]

my location, my camera, microphone, etc

let's look at these

• location: the API is already disabled as defense in depth - even if it was enabled, it is gated behind user prompts
• camera/mic - these are already spoofed with RFP and access to them is gated behind user actions such as using and accepting prompts etc for webRTC/video
• notifications - AFAIK these require service workers which are not used in PB mode
• autoplay - this is an area that TB/RFP will address in terms of fingerprinting - see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41692
• VR - not even used, default off in all gecko

With the exception of autoplay, all these settings are a fingerprint. Autoplay becomes a lot easier to FP in FF112+ via the Autoplay API (no need to actually try and run any video). Aside from autoplay in the next ESR, none of these have any security or privacy concerns with the current setup. But they should all be locked down as part of a larger tightening of UI prefs for fingerprinting - see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40656