The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-09-01T00:28:52Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32861"Fingerprint.js PRO" successfully fingerprints Tor Browser2023-09-01T00:28:52ZTrac"Fingerprint.js PRO" successfully fingerprints Tor BrowserNot affiliated with the site. Demo: https://fingerprintjs.com/demo.
When using Tor Browser 68.3.0esr on macOS Catalina, this site is capable of successfully fingerprinting me across multiple visits with a different identity each time.
...Not affiliated with the site. Demo: https://fingerprintjs.com/demo.
When using Tor Browser 68.3.0esr on macOS Catalina, this site is capable of successfully fingerprinting me across multiple visits with a different identity each time.
Steps to reproduce:
1. Visit https://fingerprintjs.com/demo in the Tor Browser.
2. Click the "New Identity" button.
3. Wait a little bit to avoid timing correlation.
4. Revisit the website.
Screenshot of the fingerprinting: https://i.ibb.co/SvWsP4K/image.png.
A potential solution is taking some features from the "Trace" Firefox add-on (not affiliated): https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace/. It prevented Fingerprint.js from successfully fingerprinting anything. Every time I created a "New Identity" in the Tor Browser and visited the website, it gave me a new identifier, with no record of my past visits.
When using the Firefox add-on "Canvas Blocker", Fingerprint.js was still capable of identifying me across identities.
Here are the Trace features I have enabled: https://i.ibb.co/BPCbWCk/image.png.
Here are the advanced Trace features I have enabled: https://i.ibb.co/8bmNYxL/image.png.
**Trac**:
**Username**: printerman22https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32544Create Style Guides2023-01-05T15:49:18ZMatthew FinkelCreate Style GuidesFollowing legacy/trac#26184, we should document our coding style preferences. We should consider documenting all Tor Browser-related projects.Following legacy/trac#26184, we should document our coding style preferences. We should consider documenting all Tor Browser-related projects.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31814Moving Tor Browser onto SD Card breaks app on Android2022-07-20T14:56:05ZMatthew FinkelMoving Tor Browser onto SD Card breaks app on AndroidWe received a report that the app breaks when it is moved onto an external SD Card (or additional storage partition).
```
- Einstellungen im Tor-Dienst werden aktualisiert
- updating torrc custom configuration...
- success.
- checki...We received a report that the app breaks when it is moved onto an external SD Card (or additional storage partition).
```
- Einstellungen im Tor-Dienst werden aktualisiert
- updating torrc custom configuration...
- success.
- checking binary version: 0.3.5.8-rc-openssl1.0.2p
- Orbot startet ...
- Unable to start Tor: java.io.IOException: Cannot run program
"/mnt/sdcard/org.torproject.torbrowser-1/lib/arm64/libTor.so" (in
directory
"/data/user/0/org.torproject.torbrowser/app_torservice"):
error=13, Permission denied
```
It seems like tor-android-service is expecting a relative path for `libTor.so` within the app's local storage, but it is receiving an absolute path somewhere else.
Moving Fennec onto an sdcard works, so we can see how geckoview loads libxul.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30668Mobile: Favicon is not used when making a shortcut on Home screen2022-07-20T14:52:54ZTracMobile: Favicon is not used when making a shortcut on Home screen- Tor Browser and Tor Broswer (Alpha):
- Press the three dotted button in the top right,
- Select "Page >",
- Select "Add to home screen".
- A button on the home screen appears, but is missing the favicon.
Would the proper behaviour be ...- Tor Browser and Tor Broswer (Alpha):
- Press the three dotted button in the top right,
- Select "Page >",
- Select "Add to home screen".
- A button on the home screen appears, but is missing the favicon.
Would the proper behaviour be to download the largest favicon possible and then resize it down on the client-side to avoid resquesting an icon dize that might identify the client os?
NOTE: Old Orfox appears to function correctly, in that the icon is used and it appears brilliant and sharp (ie. high-resolution).
**Trac**:
**Username**: torlovehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30209logins.json data is added unencrypted, maybe that's why people have problems ...2023-01-05T16:36:11ZTraclogins.json data is added unencrypted, maybe that's why people have problems with saved login data1)
install TB
disable always private surfing
enable saving login data
open a page with login form, logon and accept saving login data
data is being added to logins.json in unencrypted form
so far all seems right, but you will not be able...1)
install TB
disable always private surfing
enable saving login data
open a page with login form, logon and accept saving login data
data is being added to logins.json in unencrypted form
so far all seems right, but you will not be able to USE the saved logins
2)
go options again, set master pass, apply
add another login (go logon somewhere and save)
data is STILL being added to logins.json in UNENCRYPTED form (and unencrypted is not being encrypted)
STILL not able to use the saved data
3)
copy over old logins.json and key4.db
voila, you can use it...
again try to add a new login to the old data -> same as 1) and 2) applies
implies the mechanism is broken
i can not find a fix
**Trac**:
**Username**: sashamanhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29886NoScript icon is still visible in context menu after the fix for #25658 landed2023-11-27T12:07:07ZGeorg KoppenNoScript icon is still visible in context menu after the fix for #25658 landedA user on the blog noticed that we removed the NoScript toolbar icon but the one in the context menu is still visible. (see: https://blog.torproject.org/comment/280411#comment-280411). Moreover, clicking on it results in an error:
```
Ty...A user on the blog noticed that we removed the NoScript toolbar icon but the one in the context menu is still visible. (see: https://blog.torproject.org/comment/280411#comment-280411). Moreover, clicking on it results in an error:
```
TypeError: this.getPlacementOfWidget(...) is null[Learn More] CustomizableUI.jsm:1638:18
```Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29705Enable Brotli compression for .onion domains2022-12-06T15:27:53ZTracEnable Brotli compression for .onion domainsTor Browser treats .onion as secure domains. Brotli compression is only enabled in Firefox on secure domains, but not for .onion domains.
Internally, Firefox controls these from the following settings:
network.http.accept-encoding
netwo...Tor Browser treats .onion as secure domains. Brotli compression is only enabled in Firefox on secure domains, but not for .onion domains.
Internally, Firefox controls these from the following settings:
network.http.accept-encoding
network.http.accept-encoding.secure
.onion is treated as the first instance (insecure) and only enable gzip and deflate. It should be handled as the second category and thus also enable Brotli compression.
Brotli compression will be beneficial to .onion service performance and reducing the data usage of Tor Browser.
PS: The requirement for Brotli to only be used on secure connections was a political decision by Google who wanted to use their new efficient compression method as a carrot to encourage HTTPS adoption.
**Trac**:
**Username**: expyuzz4wqqyqhjnhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29630TorBrowser creates empty directory in "/tmp"2022-11-29T15:16:51ZTracTorBrowser creates empty directory in "/tmp"I'm using the latest TBB on Linux.
After I start TorBrowser, the directory is created in temporary direcrory (in my case /tmp)
drwx------ 2 user user 4096 Mar 1 12:34 Temp-41d8a42b-5545-4af5-89c2-be2502af95c7
The directory is empt...I'm using the latest TBB on Linux.
After I start TorBrowser, the directory is created in temporary direcrory (in my case /tmp)
drwx------ 2 user user 4096 Mar 1 12:34 Temp-41d8a42b-5545-4af5-89c2-be2502af95c7
The directory is empty. After I close the TBB, this directory disappears. Not sure if it's OK behavior or not.
**Trac**:
**Username**: AxelFhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28892Check for `file` command in Tor Browser start script before using it2022-07-13T23:34:14ZGeorg KoppenCheck for `file` command in Tor Browser start script before using itIn `start-tor-browser` we do
```
SYSARCHITECTURE=$(getconf LONG_BIT)
TORARCHITECTURE=$(expr "$(file TorBrowser/Tor/tor)" : '.*ELF \([[:digit:]]*\)')
if [ $SYSARCHITECTURE -ne $TORARCHITECTURE ]; then
complain "Wrong architecture? 32-...In `start-tor-browser` we do
```
SYSARCHITECTURE=$(getconf LONG_BIT)
TORARCHITECTURE=$(expr "$(file TorBrowser/Tor/tor)" : '.*ELF \([[:digit:]]*\)')
if [ $SYSARCHITECTURE -ne $TORARCHITECTURE ]; then
complain "Wrong architecture? 32-bit vs. 64-bit."
exit 1
fi
```
to bail out early in case users have downloaded a bundle for the wrong architecture. Now, it turns out that there are Linux distros out there (NixOS seems to be one of those) that don't find `file` that way. A fix for that would be to check for the existence of `file` and if we can't find it to note that we assume the user knows what they are doing and proceed anyway.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28201about:support help link directs to Firefox's support rather than Tor Browser's2023-01-05T16:35:22Ztraumschuleabout:support help link directs to Firefox's support rather than Tor Browser'stested in 11.5a13 still going to the Firefox domain (but the in-page branding is correct now)tested in 11.5a13 still going to the Firefox domain (but the in-page branding is correct now)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27674Add README to Tor Browser2022-07-13T23:08:53ZtraumschuleAdd README to Tor BrowserI am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/RE...I am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/README.md
./Browser/TorBrowser/Docs/snowflake/README.md
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27483Onboarding: dialog closure is effectively treated as "read", causing screen a...2023-01-05T17:28:35ZdmrOnboarding: dialog closure is effectively treated as "read", causing screen advancementFor the first few screens in Onboarding:
Clicking anything outside the box in Onboarding closes the box //AND appears to mark the current screen as "read"//, thus changing the Onboarding experience to pop up the next screen when someone ...For the first few screens in Onboarding:
Clicking anything outside the box in Onboarding closes the box //AND appears to mark the current screen as "read"//, thus changing the Onboarding experience to pop up the next screen when someone opens it again. //This could be bad if the user doesn't actually read the screen before that, and doesn't recognize the Onboarding flow and go back to that screen.//
This seems to stop at "Circuit Display", probably because the "(not really) Next" button there does something other than advance the Onboarding screen.
Or maybe, alternatively, the first few screens are just auto-marked as "read". If that's the case, consider changing that to happen on button click / navigation.
(Encountered in TB 8.0)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26911`about:buildconfig` is missing configure options2022-06-23T22:20:02ZGeorg Koppen`about:buildconfig` is missing configure optionsFor some reason we are missing some configure options in `about:buildconfig` when building Tor Browser. On Windows e.g. --disable-stylo and --disable-jemalloc. This got reported on the blog (https://blog.torproject.org/comment/276031#com...For some reason we are missing some configure options in `about:buildconfig` when building Tor Browser. On Windows e.g. --disable-stylo and --disable-jemalloc. This got reported on the blog (https://blog.torproject.org/comment/276031#comment-276031)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26607subpixels: scroll properties leak entropy2023-11-04T00:26:47ZMark Smithsubpixels: scroll properties leak entropyAs of Firefox 55, the `window.pageYOffset`, `pageXOffset`, `scrollX`, and `scrollY` properties now return data with subpixel accuracy. We think this means "half pixels on a macOS Retina or other high resolution display." We should deter...As of Firefox 55, the `window.pageYOffset`, `pageXOffset`, `scrollX`, and `scrollY` properties now return data with subpixel accuracy. We think this means "half pixels on a macOS Retina or other high resolution display." We should determine if this adds any fingerprinting risks (and whether the values returned are already rounded when `privacy.resistFingerprinting` is set to `true`). See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1151421https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26557Regression in keyboard fingerprinting2022-11-30T16:51:48ZTracRegression in keyboard fingerprintingI just compared fingerprinting protection between 8.0a8 and 8.0a9. There appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https:/...I just compared fingerprinting protection between 8.0a8 and 8.0a9. There appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https://neo-layout.org/index_en.html)
For testing I used https://arthuredelstein.github.io/tordemos/keyboard.html.
There are several keys that have regressed:
== Numbers
When typing the number 0 using the key pad on layer 4 ('<' + space) I observe this differences:
8.0a8: code: Digit0, modifierState: empty
8.0a9: code: Space, modifierState: AltGraph
Similarly, other numbers, when typing using the number pad on layer 4, show the actual key that was pressed (KeyM, KeyJ, KeyU, …) instead of DigitX.
== Navigation Keys
Arrow up:
8.0a8: code: ArrowUp, modifierState: empty
8.0a9: code: ArrowUp, modifierState: AltGraph
The modifier leaks with many of the keys on layer 4. Including, all arrow keys, escape, home, end, delete, back and comma. Interestingly, period and colon don't leak the modifier.
I also noticed that colon is recognized as semicolon (on all layers) but that's also the case in older Tor Browser version.
**Trac**:
**Username**: pegehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26404Fixup commits for unused symbols2023-01-05T15:48:14ZMatthew FinkelFixup commits for unused symbolsSome Tor Browser patches result in unreachable and/or unused code. This isn't a problem, in general, but when Firefox is built with `-Werror`, this causes a compile-time build failure. I'd like to fix these failures in our tree so we can...Some Tor Browser patches result in unreachable and/or unused code. This isn't a problem, in general, but when Firefox is built with `-Werror`, this causes a compile-time build failure. I'd like to fix these failures in our tree so we can begin pushing Try builds for our entire patchset.
This is step 0 on the larger/grander path of running the entire Firefox test suite against Tor Browser. Currently, too many unit tests fail when run on Tor Browser's patches, so this will not be useful (by itself) right now.
To be clear, I'm not sure if we should patch every unit test failure or if we should write a script that fetches the results and tells us if any failures were not expected - but this is a different topic.Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26277When "Safest" setting is enabled searching using duckduckgo should always use...2023-10-03T15:37:45ZTracWhen "Safest" setting is enabled searching using duckduckgo should always use the Non-Javascript site for searchesWhen "Safest" setting is enabled, searching using duckduckgo should always use the Non-Javascript site for searches. Right now when you enable "Safest" mode in TorBrowser you will see the error "You are being redirected to a non javascri...When "Safest" setting is enabled, searching using duckduckgo should always use the Non-Javascript site for searches. Right now when you enable "Safest" mode in TorBrowser you will see the error "You are being redirected to a non javascript site" when you search for anything in the search box in the upper right of the browser.
TorBrowser should change the Duckduckgo search from
`https://duckduckgo.com/html/?q=example`
To
`https://duckduckgo.com/?q=example`
When "Safest" mode is enabled.
I attached a photo showing the error "You are being redirected to a non javascript site"
Tested on TorBrowser 7.5.4 and TorBrowser 8dev
**Trac**:
**Username**: Dbryrtfbcbhgfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25872When Clicking more information when visiting a V3 onion some of the buttons a...2022-11-30T16:39:10ZTracWhen Clicking more information when visiting a V3 onion some of the buttons are cut offWhen Clicking more information when visiting a V3 onion some of the buttons are cut off.
1. go to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
2. click the "!" next to the URL and click ">" then click more inform...When Clicking more information when visiting a V3 onion some of the buttons are cut off.
1. go to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
2. click the "!" next to the URL and click ">" then click more information.
3.The "View cookies" and "View saved passwords" buttons are cut off.
I attached a photo showing the buttons cut off.
Tor Browser 7.5.3
**Trac**:
**Username**: Dbryrtfbcbhgfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25660Remove "New Private Window" option from Tor Browser or make it a separate ses...2023-02-02T09:30:38ZstephwRemove "New Private Window" option from Tor Browser or make it a separate sessionIt doesn't do anything that I can tell. If it does, we should have more of an explanation to set user expectation.
For instance, I thought perhaps when I was logged into Twitter in another tab, it might isolate a separate session, but i...It doesn't do anything that I can tell. If it does, we should have more of an explanation to set user expectation.
For instance, I thought perhaps when I was logged into Twitter in another tab, it might isolate a separate session, but it does not. If I go to twitter.com in a "New Private Window", I am still logged into the same account.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/24950"Restrict third party cookies and other tracking data" enabled = disables exc...2022-11-29T14:24:57ZTrac"Restrict third party cookies and other tracking data" enabled = disables exceptions list for popupsOptions -> Privacy -> Restrict third party cookies and other tracking data
When enabled, popup blocker ignores exceptions list and blocks popups from all websites.
**Trac**:
**Username**: vanowmOptions -> Privacy -> Restrict third party cookies and other tracking data
When enabled, popup blocker ignores exceptions list and blocks popups from all websites.
**Trac**:
**Username**: vanowmSponsor 131 - Phase 5 - Ongoing Maintenance