The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-11-30T14:58:29Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23660Handle exceptions in content sandboxing code for Tor Browser on Windows properly2022-11-30T14:58:29ZGeorg KoppenHandle exceptions in content sandboxing code for Tor Browser on Windows properlyAt the moment we just rip out the SEH parts of the content sandboxing code as mingw-w64 has trouble handling it. We should provide a proper fix for it, though.At the moment we just rip out the SEH parts of the content sandboxing code as mingw-w64 has trouble handling it. We should provide a proper fix for it, though.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23263Rip out startup GfxSanityTest entirely2022-11-30T16:50:26ZcypherpunksRip out startup GfxSanityTest entirelyMozilla understood it's a Windows-only "feature" in FF54 https://bugzilla.mozilla.org/show_bug.cgi?id=1339432, but Tor Browser doesn't need that trash.Mozilla understood it's a Windows-only "feature" in FF54 https://bugzilla.mozilla.org/show_bug.cgi?id=1339432, but Tor Browser doesn't need that trash.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22770Cookie protections dialog cannot delete cookies after upgrade2022-07-12T22:18:20ZpastlyCookie protections dialog cannot delete cookies after upgradeThe following is originally reported by someone with an offsensive username. The person reports using XP SP3. It is unclear whether or not he still has unsupported addons or modifications to cache/history settings.
-----
-----
Cookie ...The following is originally reported by someone with an offsensive username. The person reports using XP SP3. It is unclear whether or not he still has unsupported addons or modifications to cache/history settings.
-----
-----
Cookie protections dialog cannot delete cookies after I upgraded TorBrowser and restarted it.
1. Had TorBrowser 6.5.x (running)
2. Updated to 7.0.1
3. Killed TorBrowser process
4. Started TorBrowser (7.0.1)
5. Tabs got recovered (NOTE: for some reason didn't show me tab recovery dialog)
6. Now when I use Cookie protections dialog, I click to delete cookies, but when I click OK and close dialog, all cookies are still there!!! I reopen Cookie protections dialog and they are still in. They aren't protected but behave like they were.
7. When I open Tools->Options->Privacy->cookies, I can properly delete cookies from there.
I haven't restart browser yet so don't know if it happens after restart.
It's critical privacy bug. You think you deleted cookies so you reload page with new circuit, but in fact, you are using your old cookies and they will know it's same person. They will link your two accounts.
Also, when I click to protect or unprotect cookie in the dialog, and click OK, it gets saved. When I reopen dialog I see that it's saved what I protected. But cannot delete cookies.
-----
Finally, I restarted TorBrowser (7.0.1). It's still broken, restart doesn't help.
-----
The save image/page bugs were indeed fixed by updating old addons, but I noticed this cookie bug is still present, so I reopen it.
As said initially, marking cookies as protected/unprotected works correctly, but it's not possible to delete cookies (they are deleted from dialog but reappear when you open it again). Deleting cookies from Tools->Options->Privacy->Cookies works totally fine.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22584More RWX memory pages for TBB on some Windows versions2022-11-30T16:58:09ZArthur EdelsteinMore RWX memory pages for TBB on some Windows versionsA cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14A cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21657Test to make sure we isolate or disable all speculative connects2023-01-05T17:16:53ZArthur EdelsteinTest to make sure we isolate or disable all speculative connectsThere are a variety of "resource hint" features in Tor Browser that we want to make sure are isolated by first-party or disabled. These include
```
link rel=preconnect
link rel=prefetch
link rel=prerender
```
and possibly more.
We ...There are a variety of "resource hint" features in Tor Browser that we want to make sure are isolated by first-party or disabled. These include
```
link rel=preconnect
link rel=prefetch
link rel=prerender
```
and possibly more.
We should test this for the ESR45 and ESR52 versions of Tor Browser, because isolation will have different mechanisms.
See https://w3c.github.io/resource-hints/
We should also look into "SpeculativeConnect" code in Firefox to make sure there aren't any other cases of non-first-party isolated connections.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21610Hide about:profiles2023-11-27T09:35:33ZGeorg KoppenHide about:profiles`about:profiles` allows user things like creating new profiles or restarting with extensions disabled. This might lead to weird errors and there is probably no real use case in a Tor Browser context for that. We should hide it ideally wi...`about:profiles` allows user things like creating new profiles or restarting with extensions disabled. This might lead to weird errors and there is probably no real use case in a Tor Browser context for that. We should hide it ideally with an option to make it visible again if it is indeed needed for some reason.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21455newwin: Inconsistent New Window height on multiple monitors (Windows)2024-03-12T09:04:47ZTracnewwin: Inconsistent New Window height on multiple monitors (Windows)(1) "New Window" or Ctrl+N creates a new window slightly offset from the current window, but the size of the new window is determined by the primary display (instead of the display the window is on).
If the primary display is larger, th...(1) "New Window" or Ctrl+N creates a new window slightly offset from the current window, but the size of the new window is determined by the primary display (instead of the display the window is on).
If the primary display is larger, this can push part of the window off the top of the display (e.g. primary 1920x1200, secondary 1280x1024: New Window on secondary display gets pushed off the top so only half the URL bar is visible).
(2) Dragging a tab out of a window with multiple tabs creates a new window sized differently than "New Window", this new window is sized according to the display it is on.
This is in 6.5 and 7.0a1 but not 6.08
**Trac**:
**Username**: pjw0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21347Retrying a download breaks URL bar domain isolation2023-08-28T16:05:46ZGeorg KoppenRetrying a download breaks URL bar domain isolationIf a download fails and one tries to restart it via the `about:downloads` page the resumption goes over the catch-all circuit. It would be more intuitive is we could use the circuit previously used (if it is still available).
Reported o...If a download fails and one tries to restart it via the `about:downloads` page the resumption goes over the catch-all circuit. It would be more intuitive is we could use the circuit previously used (if it is still available).
Reported on our blog: https://blog.torproject.org/blog/tor-browser-70a1-released#comment-233304https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20772src="data:&lt;;base64 images rendered when "Show images"="Blocked"2023-01-05T17:04:10Zcypherpunkssrc="data:<;base64 images rendered when "Show images"="Blocked"Any webpages (e.g. ht tp://defensivepatentlicense.org/) that use base64 encoding thwart people's disabling of images.
Due to there not being enough software writers to go around, TBB and its derivatives e.f. Orfox(ht tps://dev.guardianpr...Any webpages (e.g. ht tp://defensivepatentlicense.org/) that use base64 encoding thwart people's disabling of images.
Due to there not being enough software writers to go around, TBB and its derivatives e.f. Orfox(ht tps://dev.guardianproject.info/issues/8039) often leave remote code execution vulnerabilities in the image parser.
Disabling images would protect against this vector of infection, but they can't be disabled. Due to the almost identical codebase for everything but the menus and window borders, I think that this is likely a bug in the TBb source code rather than in the tiny delta that is Orfox.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20628More locales for Tor Browser2022-04-05T02:28:34ZArthur EdelsteinMore locales for Tor BrowserSeveral locales for torbutton in Transifex are fully or almost fully translated, but we aren't including these in our ./import_translations.sh script in torbutton.
And we would probably like to release some of these as Tor Browsers as w...Several locales for torbutton in Transifex are fully or almost fully translated, but we aren't including these in our ./import_translations.sh script in torbutton.
And we would probably like to release some of these as Tor Browsers as well.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20378Text-to-speech doesn't work in TBB since El Capitan2022-12-09T11:56:59ZJens KubiezielText-to-speech doesn't work in TBB since El CapitanAt [Tor.SE](https://tor.stackexchange.com) there is a [question regarding text-to-speech and Tor Browser](https://tor.stackexchange.com/q/12915/88). The user is dyslexic and recently upgraded to El Capitan (10.11.6). Since then the text-...At [Tor.SE](https://tor.stackexchange.com) there is a [question regarding text-to-speech and Tor Browser](https://tor.stackexchange.com/q/12915/88). The user is dyslexic and recently upgraded to El Capitan (10.11.6). Since then the text-to-speech software stopped working with TBB. The software reads the entire webpage instead of the text the user had selected. It worked in previous version of Moc OS X and it also does work in Firefox and Safari. So it seems to be a TBB related bug.
Do you need more information? Can you help to fix this bug?Sponsor 131 - Phase 2 - Privacy Browserhenryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20160Backport - MP3 playback is broken2020-06-27T14:38:46ZbugzillaBackport - MP3 playback is brokenWhen playing MP3, seekbar goes to the end and total duration is not displayed:
https://bugzilla.mozilla.org/show_bug.cgi?id=1263334
and its deps:
Wrong calculation of duration for some MP3 files
SIGFPE in [@mozilla::mp3::MP3TrackDemuxer:...When playing MP3, seekbar goes to the end and total duration is not displayed:
https://bugzilla.mozilla.org/show_bug.cgi?id=1263334
and its deps:
Wrong calculation of duration for some MP3 files
SIGFPE in [@mozilla::mp3::MP3TrackDemuxer::OffsetFromFrameIndex]https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20005Backport - easy fixes for memory leaks investigation2020-06-27T14:38:49ZbugzillaBackport - easy fixes for memory leaks investigation[Bug 1234343 - Overly large values reported for gfx/heap-textures](https://bugzilla.mozilla.org/show_bug.cgi?id=1234343)
(changes size_t to ptrdiff_t (which "was fixed" from int32_t by previous bug) in FF46 (and Mozilla has closed relate...[Bug 1234343 - Overly large values reported for gfx/heap-textures](https://bugzilla.mozilla.org/show_bug.cgi?id=1234343)
(changes size_t to ptrdiff_t (which "was fixed" from int32_t by previous bug) in FF46 (and Mozilla has closed related ticket with that confirmed bug as WORKSFORME for FF45, ugh [Bug 1262088 - Incorrect about:memory reports (gfx/heap-textures) when playing HTML5 videos](https://bugzilla.mozilla.org/show_bug.cgi?id=1262088))
Without it TBB shows
```
│ ├──3,155.00 MB (93.38%) ── heap-textures
```
(As `heap-textures` causes a half of memory leaks, the helper ticket is worth tracking
[Bug 1290100 - Decompose explicit/gfx/heap-textures](https://bugzilla.mozilla.org/show_bug.cgi?id=1290100))https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19955Backport - Warning that favicon load request got cancelled is confusing2020-06-27T14:38:49ZGeorg KoppenBackport - Warning that favicon load request got cancelled is confusingAfter Mozilla fixed legacy/trac#18513 a confusing warning is often visible in the console:
```
When cancelling a request for chrome://browser/skin/preferences/in-content/favicon.ico because the inner window was destroyed or a new favicon...After Mozilla fixed legacy/trac#18513 a confusing warning is often visible in the console:
```
When cancelling a request for chrome://browser/skin/preferences/in-content/favicon.ico because the inner window was destroyed or a new favicon was loaded for it, it was already canceled! PlacesUIUtils.jsm:109:0
```
Mozilla seems to fix this with https://bugzilla.mozilla.org/show_bug.cgi?id=1279650. We could think about backporting this to Tor Browser.
This was first reported on our blog with https://blog.torproject.org/blog/tor-browser-65a2-released#comment-196614.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19741favicon in searchbar popup uses catchall circuit2023-01-05T17:03:13ZArthur Edelsteinfavicon in searchbar popup uses catchall circuitTo reproduce:
* Set "torbutton.loglevel" to 3.
* Enter the word "test" in the searchbar. Click on the DuckDuckGo icon in the popup menu below to cause a search for "test" to be performed on DuckDuckGo. After the search is performed, a g...To reproduce:
* Set "torbutton.loglevel" to 3.
* Enter the word "test" in the searchbar. Click on the DuckDuckGo icon in the popup menu below to cause a search for "test" to be performed on DuckDuckGo. After the search is performed, a green "plus" symbol appears on the searchbar magnifying glass icon.
* Open the browser console, and clear it.
* Click on the searchbar again. An additional menu item appears, which contains the text `Add "DuckDuckGo (HTML)"` and a DuckDuckGo favicon.
* Examine the browser console. Log messages should appear as follows:
```
[07-22 22:38:01] Torbutton INFO: tor SOCKS: http://3g2upl4pq6kufc4m.onion/favicon.ico via --NoFirstPartyHost-chrome-browser.xul--:9bb8a61534faf1f952647a3537560fb0
GET
http://3g2upl4pq6kufc4m.onion/favicon.ico [HTTP/1.1 200 OK 0ms]
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
[07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 NEW 0 3g2upl4pq6kufc4m.onion:80 SOURCE_ADDR=127.0.0.1:52895 PURPOSE=USER
[07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 SENTCONNECT 15 3g2upl4pq6kufc4m.onion:80
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
[07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 SUCCEEDED 15 3g2upl4pq6kufc4m.onion:80
```
should be visible. I believe these messages are caused by
So it appears that the favicon display inside "add-engines" vbox of the search popup is being sent over the catchall circuit.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18866Rip mozTCPSocket out of Tor Browser2023-01-05T16:06:48ZGeorg KoppenRip mozTCPSocket out of Tor BrowserIn legacy/trac#18863 we disabled the usage of mozTCPSocket per preference. We might want to rip out that code as a defense in depth.In legacy/trac#18863 we disabled the usage of mozTCPSocket per preference. We might want to rip out that code as a defense in depth.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18813Tor Browser breaks rendering of fonts in applications launched from Tor Browser2022-11-30T16:47:36ZadrelanosTor Browser breaks rendering of fonts in applications launched from Tor BrowserTor Browser adds few additional environment variables which breaks `kdialog` and likely other applications also:
```
FONTCONFIG_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig
LD_LIBRARY_PATH=/home/user/tor-browser_...Tor Browser adds few additional environment variables which breaks `kdialog` and likely other applications also:
```
FONTCONFIG_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig
LD_LIBRARY_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Tor/
```
screenshot:
https://i.imgur.com/1ItY3jR.png
([This issue was originally reported against QubesOS.](https://github.com/QubesOS/qubes-issues/issues/1892))
Perhaps do not modify environment variables for applications launched from Tor Browser?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18780Windows' numeric keyboard characters enter doesn't work.2022-11-29T13:53:49ZTracWindows' numeric keyboard characters enter doesn't work.Just tried to enter some extended characters into textarea using numeric keyboard as Windows allows it: pressing left Alt and typing char code, like: Alt-0151 enters m-dash, Alt-0171 for left double arrow quote, Alt-0187 for right quote,...Just tried to enter some extended characters into textarea using numeric keyboard as Windows allows it: pressing left Alt and typing char code, like: Alt-0151 enters m-dash, Alt-0171 for left double arrow quote, Alt-0187 for right quote, etc. No character appeared. But typing into location field does actually work, and I can type those chars in there and paste them into text fields and textareas in pages opened in TB.
Is this an intentional measure or a bug? Found two tickets possibly related to this: legacy/trac#16678, legacy/trac#15646.
OS: Windows 8
Tor Browser: 5.5.4
**Trac**:
**Username**: Unchquahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18532Now search.disconnect.me through catchall too2022-07-13T12:49:45ZbugzillaNow search.disconnect.me through catchall too[03-11 17:31:16] Torbutton INFO: tor SOCKS isolation catchall: https://search.disconnect.me/searchTerms/search?ses=Google&location_option=US&source=tor via --unknown--:75
Windows only?[03-11 17:31:16] Torbutton INFO: tor SOCKS isolation catchall: https://search.disconnect.me/searchTerms/search?ses=Google&location_option=US&source=tor via --unknown--:75
Windows only?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18166TBB continuously updates its Custom Destinations file on Win72022-07-12T21:06:29ZbugzillaTBB continuously updates its Custom Destinations file on Win7TBB continuously updates its Custom Destinations (def.: https://blogs.microsoft.co.il/sasha/2009/02/24/windows-7-taskbar-custom-destinations/) file (in **%appdata%\Microsoft\Windows\Recent**) on Win7.
Example: https://chromium-build-logs...TBB continuously updates its Custom Destinations (def.: https://blogs.microsoft.co.il/sasha/2009/02/24/windows-7-taskbar-custom-destinations/) file (in **%appdata%\Microsoft\Windows\Recent**) on Win7.
Example: https://chromium-build-logs.appspot.com/viewlog/raw/AMIfv94tusHalcqStZPT2jxqjdP-9rOkCcqjhLf2xB1BZab1hYhBql2FfdQI6I-CItcqXjQ5xWu23OF5KODrhcUxEKW35Bv_riDt1L_YIboliQjkrH98p6cwGg8bRd6VQvqrHG9M6yk-LNQVA24NrtaJAisGjKCTcLmS8oQ3cHXtYpBlUGMOyks