fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41809: restore onion glyph in locations outside location bar

Bug 41809: restore onion glyph in locations outside location bar

Bug 41809: restore onion glyph in locations outside location bar

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41810 - Add "Connect" button instead of the "Submit" and "OK" button in the bridge request dialog and the manual bridge dialog, respectively.

Bug 41726 - Animate the connection icon.

Bug 41618 - Remove connect bar, and swap internet and connection icons
in tor connection preferences.

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41618 - Remove connect bar, and swap internet and connection icons
in tor connection preferences.

Bug 41816: Workaround to fix the top navigation

Using the top navigation does not always work as expected, because we
pass a null connection state, instead of the actual state.
We could start storing the state as a member, however further refactors
are planned (see tor-browser#41710), so also directly asking the parent
for the current state works as a quick&dirty workaround.

Bug 41815: Wrong connect icons

Swapped a couple of icons in about:torconnect, and split the offline CSS
class from the connection assist/final error, since they now need a
different icon.
Also, removed the stroke property, since the new icons do not need it.

Bug 41734 - Add a connected label to the built-in bridge dialog.

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41734 - Add a connected label to the built-in bridge dialog.

Bug 41623: Update connection assist's iconography

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41623: Update connection assist's iconography

Bug 41623: Update connection assist's iconography

Dan Ballard authored 1 year ago and ma1 committed 1 year ago

Bug 40701: Add security warning when downloading a file

Shown in the downloads panel, about:downloads and places.xhtml.

fixup! Bug 1832832 - protect encoder accesses in Java callbacks. r=media-playback-reviewers,alwu a=pascalc

- MOZ_GUARDED_BY is just GUARDED_BY in esr 102

Differential Revision: https://phabricator.services.mozilla.com/D178564

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41802: Improve the regex on parseBridgeLine

The previous version of the regex took for granted the bridge
fingerprint was always available, but it is actually optional.
So, parsing some bridge lines (e.g., Conjure) failed, and vanilla
bridge was displayed instead of the actual transport.

Bug 41792: Allow dragging downloads from about:downloads and the download panel

Bug 40552: New texts for the add a bridge manually modal

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 40552: Improve the description of the modal to provide a bridge
manually.

Bug 41801: Fix handleProcessReady in TorSettings.init

For now this function only deletes old language packs for which we are
already packaging the strings with the application.

This patch associates the about:manual page to a translated page that
must be injected to browser/omni.ja after the build.
The content must be placed in chrome/browser/content/browser/manual/, so
that is then available at chrome://browser/content/manual/.
We preferred giving absolute freedom to the web team, rather than having
to change the patch in case of changes on the documentation.

We have enabled HTTPS-Only mode, therefore we do not need
HTTPS-Everywhere anymore.
However, we want to keep supporting .tor.onion aliases (especially for
securedrop).
Therefore, in this patch we implemented the parsing of HTTPS-Everywhere
rulesets, and the redirect of .tor.onion domains.
Actually, Tor Browser believes they are actual domains. We change them
on the fly on the SOCKS proxy requests to resolve the domain, and on
the code that verifies HTTPS certificates.

henry authored 1 year ago and Pier Angelo Vendrame committed 1 year ago

Bug 41608 - Use the same styling for ".onion available" urlbar button as
the tor-connect-urlbar-button. This also stops the button from
overflowing its container like before. Also move to after the bookmark
button.

Alex Catarineu authored 5 years ago and Pier Angelo Vendrame committed 1 year ago

Whenever a valid Onion-Location HTTP header (or corresponding HTML
<meta> http-equiv attribute) is found in a document load, we either
redirect to it (if the user opted-in via preference) or notify the
presence of an onionsite alternative with a badge in the urlbar.

Kathleen Brade authored 5 years ago and Pier Angelo Vendrame committed 1 year ago

When Tor informs the browser that client authentication is needed,
temporarily load about:blank instead of about:neterror and prompt
for the user's key.

If a correctly formatted key is entered, use Tor's ONION_CLIENT_AUTH_ADD
control port command to add the key (via Torbutton's control port
module) and reload the page.

If the user cancels the prompt, display the standard about:neterror
"Unable to connect" page. This requires a small change to
browser/actors/NetErrorChild.jsm to account for the fact that the
docShell no longer has the failedChannel information. The failedChannel
is used to extract TLS-related error info, which is not applicable
in the case of a canceled .onion authentication prompt.

Add a leaveOpen option to PopupNotifications.show so we can display
error messages within the popup notification doorhanger without
closing the prompt.

Add support for onion services strings to the TorStrings module.

Add support for Tor extended SOCKS errors (Tor proposal 304) to the
socket transport and SOCKS layers. Improved display of all of these
errors will be implemented as part of bug 30025.

Also fixes bug 19757:
 Add a "Remember this key" checkbox to the client auth prompt.

 Add an "Onion Services Authentication" section within the
 about:preferences "Privacy & Security section" to allow
 viewing and removal of v3 onion client auth keys that have
 been stored on disk.

Also fixes bug 19251: use enhanced error pages for onion service errors.

cypherpunks1 authored 1 year ago and Pier Angelo Vendrame committed 1 year ago

Bug 41785: Show http onion resources as secure in network monitor

cypherpunks1 authored 1 year ago and Pier Angelo Vendrame committed 1 year ago

Bug 33298: Warn when submitting form data from http onion sites over an insecure connection

Richard Pospesel authored 6 years ago and Pier Angelo Vendrame committed 1 year ago

Encrypting pages hosted on Onion Services with SSL/TLS is redundant
(in terms of hiding content) as all traffic within the Tor network is
already fully encrypted.  Therefore, serving HTTP pages from an Onion
Service is more or less fine.

Prior to this patch, Tor Browser would mostly treat pages delivered
via Onion Services as well as pages delivered in the ordinary fashion
over the internet in the same way.  This created some inconsistencies
in behaviour and misinformation presented to the user relating to the
security of pages delivered via Onion Services:

 - HTTP Onion Service pages did not have any 'lock' icon indicating
   the site was secure
 - HTTP Onion Service pages would be marked as unencrypted in the Page
   Info screen
 - Mixed-mode content restrictions did not apply to HTTP Onion Service
   pages embedding Non-Onion HTTP content

This patch fixes the above issues, and also adds several new 'Onion'
icons to the mix to indicate all of the various permutations of Onion
Services hosted HTTP or HTTPS pages with HTTP or HTTPS content.

Strings for Onion Service Page Info page are pulled from Torbutton's
localization strings.

Alex Catarineu authored 4 years ago and Pier Angelo Vendrame committed 1 year ago

In https://bugzilla.mozilla.org/show_bug.cgi?id=1563246 Firefox implemented
fetching the Public Suffix List via RemoteSettings and replacing the default
one at runtime, which we do not want.

Mike Perry authored 7 years ago and Pier Angelo Vendrame committed 1 year ago

eBay and Amazon don't treat Tor users very well. Accounts often get locked and
payments reversed.

Also:
Bug 16322: Update DuckDuckGo search engine

We are replacing the clearnet URL with an onion service one (thanks to a
patch by a cypherpunk) and are removing the duplicated DDG search
engine. Duplicating DDG happend due to bug 1061736 where Mozilla
included DDG itself into Firefox. Interestingly, this caused breaking
the DDG search if JavaScript is disabled as the Mozilla engine, which
gets loaded earlier, does not use the html version of the search page.
Moreover, the Mozilla engine tracked where the users were searching from
by adding a respective parameter to the search query. We got rid of that
feature as well.

Also:
This fixes bug 20809: the DuckDuckGo team has changed its server-side
code in a way that lets users with JavaScript enabled use the default
landing page while those without JavaScript available get redirected
directly to the non-JS page. We adapt the search engine URLs
accordingly.

Also fixes bug 29798 by making sure we only specify the Google search
engine we actually ship an .xml file for.

Also regression tests.

squash! Omnibox: Add DDG, Startpage, Disconnect, Youtube, Twitter; remove Amazon, eBay, bing

Bug 40494: Update Startpage search provider

squash! Omnibox: Add DDG, Startpage, Disconnect, Youtube, Twitter; remove Amazon, eBay, bing

Bug 40438: Add Blockchair as a search engine

Bug 33342: Avoid disconnect search addon error after removal.

We removed the addon in #32767, but it was still being loaded
from addonStartup.json.lz4 and throwing an error on startup
because its resource: location is not available anymore.

Georg Koppen authored 5 years ago and Pier Angelo Vendrame committed 1 year ago

It's time for our rotation again: Move the backup key in the front
position and add a new backup key.

Bug 33803: Move our primary nightly MAR signing key to tor-browser

Bug 33803: Add a secondary nightly MAR signing key

Kathleen Brade authored 9 years ago and Pier Angelo Vendrame committed 1 year ago

Add an about:tbupdate page that displays the first section from
TorBrowser/Docs/ChangeLog.txt and includes a link to the remote
post-update page (typically our blog entry for the release).

Always load about:tbupdate in a content process, but implement the
code that reads the file system (changelog) in the chrome process
for compatibility with future sandboxing efforts.

Also fix bug 29440. Now about:tbupdate is styled as a fairly simple
changelog page that is designed to be displayed via a link that is on
about:tor.

Kathleen Brade authored 8 years ago and Pier Angelo Vendrame committed 1 year ago

This is a partial revert of commit f1241db6.

Revert most changes from Mozilla Bug 862173 "don't verify mar file hash
when using mar signing to verify the mar file (lessens main thread I/O)."

We kept the addition to the AppConstants API in case other JS code
references it in the future.