The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-01-05T15:48:14Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26404Fixup commits for unused symbols2023-01-05T15:48:14ZMatthew FinkelFixup commits for unused symbolsSome Tor Browser patches result in unreachable and/or unused code. This isn't a problem, in general, but when Firefox is built with `-Werror`, this causes a compile-time build failure. I'd like to fix these failures in our tree so we can...Some Tor Browser patches result in unreachable and/or unused code. This isn't a problem, in general, but when Firefox is built with `-Werror`, this causes a compile-time build failure. I'd like to fix these failures in our tree so we can begin pushing Try builds for our entire patchset.
This is step 0 on the larger/grander path of running the entire Firefox test suite against Tor Browser. Currently, too many unit tests fail when run on Tor Browser's patches, so this will not be useful (by itself) right now.
To be clear, I'm not sure if we should patch every unit test failure or if we should write a script that fetches the results and tells us if any failures were not expected - but this is a different topic.Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34203Some of the static libraries we build are not reproducible2023-01-05T14:34:24ZGeorg KoppenSome of the static libraries we build are not reproducibleI just realized that the `.a` archives we create (e.g.) for `libevent` on android are not reproducible while their contents are. We should fix that as it makes it easier to compare results and spot problems.
While we are at it we should...I just realized that the `.a` archives we create (e.g.) for `libevent` on android are not reproducible while their contents are. We should fix that as it makes it easier to compare results and spot problems.
While we are at it we should check other outputs as well as I bet not only `lilbevent` is affected.
FWIW: In the `libevent` case it seems timestamps play a role when creating the `.a` files.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40578Add README to Tor Browser2023-01-05T14:22:24ZtraumschuleAdd README to Tor BrowserI am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/RE...I am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/README.md
./Browser/TorBrowser/Docs/snowflake/README.md
```https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40541`about:buildconfig` is missing configure options2023-01-05T14:22:16ZGeorg Koppen`about:buildconfig` is missing configure optionsFor some reason we are missing some configure options in `about:buildconfig` when building Tor Browser. On Windows e.g. --disable-stylo and --disable-jemalloc. This got reported on the blog (https://blog.torproject.org/comment/276031#com...For some reason we are missing some configure options in `about:buildconfig` when building Tor Browser. On Windows e.g. --disable-stylo and --disable-jemalloc. This got reported on the blog (https://blog.torproject.org/comment/276031#comment-276031)https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/19181Firefox >= 48 ships with an ICU pre-compiled blob2023-01-05T14:10:02ZGeorg KoppenFirefox >= 48 ships with an ICU pre-compiled blobIn https://bugzilla.mozilla.org/show_bug.cgi?id=1239083 Mozilla implemented build changes that resulted in an ICU related binary being shipped in the source tree. It is a pre-compiled thing to avoid generating it twice e.g. in a cross-co...In https://bugzilla.mozilla.org/show_bug.cgi?id=1239083 Mozilla implemented build changes that resulted in an ICU related binary being shipped in the source tree. It is a pre-compiled thing to avoid generating it twice e.g. in a cross-compilation scenario. We should investigate whether we want to ship that blob.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40551Upstream go and gomobile patches2023-01-05T13:54:39ZboklmUpstream go and gomobile patchesIn commit eee5d30a9ab1d727caac262cb62f72aaab75e0a0, we are adding one go patch, and one gomobile patch, in order to fix reproducibility issues.
We should try to upstream those patches.In commit eee5d30a9ab1d727caac262cb62f72aaab75e0a0, we are adding one go patch, and one gomobile patch, in order to fix reproducibility issues.
We should try to upstream those patches.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/25863Check where the -mwindows flag is needed2023-01-05T12:42:49ZboklmCheck where the -mwindows flag is neededCurrently we are setting the `-mwindows` flag by default in `CFLAGS` and `LDFLAGS` defined in `rbm.conf`, which are currently used (through `var/configure_opt`) in tor, gmp, libevent and go.
We should check where this flag is really nee...Currently we are setting the `-mwindows` flag by default in `CFLAGS` and `LDFLAGS` defined in `rbm.conf`, which are currently used (through `var/configure_opt`) in tor, gmp, libevent and go.
We should check where this flag is really needed, and only set it there.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40437Allow users to backup bookmarks with adb2022-12-08T15:15:30ZAntonelaantonela@torproject.orgAllow users to backup bookmarks with adbfrom tor-ux:
macaroni:
hey all
you know we can't export the bookmarks on Tor Browser Android
and i thought if we can backup the app with adb
then we can backup also the bookmarks
i can backup some apps with adb because they have ALLOW_...from tor-ux:
macaroni:
hey all
you know we can't export the bookmarks on Tor Browser Android
and i thought if we can backup the app with adb
then we can backup also the bookmarks
i can backup some apps with adb because they have ALLOW_BACKUP flag
but i can't backup TBA with adb
if you can do this all users can backup the app including the bookmarks
thanks!https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/174Onion Service Dereferrer2022-12-08T13:19:28ZSilvio RhattoOnion Service DereferrerBuild a small self-contained Onion Service application that does HTTP Referrer removals (link redirection).
See background discussion and details at https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25484#note_2861382....Build a small self-contained Onion Service application that does HTTP Referrer removals (link redirection).
See background discussion and details at https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25484#note_2861382.
See documentation on best-practices for Onion Services at https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/30.https://gitlab.torproject.org/tpo/tpa/anon_ticket/-/issues/56Add tpo/anti-censorship/gettor-project/OnionSproutsBot to the list of projects2022-12-05T17:10:50Zn0tooseAdd tpo/anti-censorship/gettor-project/OnionSproutsBot to the list of projectsLink: https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBotLink: https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBothttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40204pion errors don't go into the log2022-12-03T13:45:30ZRoger Dingledinepion errors don't go into the logMy snowflake proxy tells me, I guess on either stdout or stderr,
```
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0...My snowflake proxy tells me, I guess on either stdout or stderr,
```
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
```
but I am using -log, and these lines don't show up in the log. It is unexpected that "error" category messages would be the ones that are transient and not captured for posterity.
(Also, the timestamps in the log seem to be utc, and the timestamps on my stdout/stderr appear to be local timezone. Not sure if that merits a separate ticket -- let me know if yes and I can open it.)Linus Nordberglinus@torproject.orgLinus Nordberglinus@torproject.orghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40943Disable bookmark backups2022-11-30T18:34:03ZcypherpunksDisable bookmark backupsTor browser shouldn't backup bookmarks at all and even when bookmarks are deleted, old backups remain in:
/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackupsTor browser shouldn't backup bookmarks at all and even when bookmarks are deleted, old backups remain in:
/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackupshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/34370Improve identity doorhanger message during failed onion authentication2022-11-30T16:59:26ZAntonelaantonela@torproject.orgImprove identity doorhanger message during failed onion authenticationWhen you visit an onion site that requires authentication and you click cancel, then you click the circled-i button to the left of the URL, it says connection is not secure.
But there is no connection, and any handshake-type stuff that ...When you visit an onion site that requires authentication and you click cancel, then you click the circled-i button to the left of the URL, it says connection is not secure.
But there is no connection, and any handshake-type stuff that happens is all secure, right? Maybe it's not an issue but I thought I'd just bring it up.
via https://blog.torproject.org/comment/288072#comment-288072https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22584More RWX memory pages for TBB on some Windows versions2022-11-30T16:58:09ZArthur EdelsteinMore RWX memory pages for TBB on some Windows versionsA cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14A cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26557Regression in keyboard fingerprinting2022-11-30T16:51:48ZTracRegression in keyboard fingerprintingI just compared fingerprinting protection between 8.0a8 and 8.0a9. There appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https:/...I just compared fingerprinting protection between 8.0a8 and 8.0a9. There appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https://neo-layout.org/index_en.html)
For testing I used https://arthuredelstein.github.io/tordemos/keyboard.html.
There are several keys that have regressed:
== Numbers
When typing the number 0 using the key pad on layer 4 ('<' + space) I observe this differences:
8.0a8: code: Digit0, modifierState: empty
8.0a9: code: Space, modifierState: AltGraph
Similarly, other numbers, when typing using the number pad on layer 4, show the actual key that was pressed (KeyM, KeyJ, KeyU, …) instead of DigitX.
== Navigation Keys
Arrow up:
8.0a8: code: ArrowUp, modifierState: empty
8.0a9: code: ArrowUp, modifierState: AltGraph
The modifier leaks with many of the keys on layer 4. Including, all arrow keys, escape, home, end, delete, back and comma. Interestingly, period and colon don't leak the modifier.
I also noticed that colon is recognized as semicolon (on all layers) but that's also the case in older Tor Browser version.
**Trac**:
**Username**: pegehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23263Rip out startup GfxSanityTest entirely2022-11-30T16:50:26ZcypherpunksRip out startup GfxSanityTest entirelyMozilla understood it's a Windows-only "feature" in FF54 https://bugzilla.mozilla.org/show_bug.cgi?id=1339432, but Tor Browser doesn't need that trash.Mozilla understood it's a Windows-only "feature" in FF54 https://bugzilla.mozilla.org/show_bug.cgi?id=1339432, but Tor Browser doesn't need that trash.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18813Tor Browser breaks rendering of fonts in applications launched from Tor Browser2022-11-30T16:47:36ZadrelanosTor Browser breaks rendering of fonts in applications launched from Tor BrowserTor Browser adds few additional environment variables which breaks `kdialog` and likely other applications also:
```
FONTCONFIG_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig
LD_LIBRARY_PATH=/home/user/tor-browser_...Tor Browser adds few additional environment variables which breaks `kdialog` and likely other applications also:
```
FONTCONFIG_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig
LD_LIBRARY_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Tor/
```
screenshot:
https://i.imgur.com/1ItY3jR.png
([This issue was originally reported against QubesOS.](https://github.com/QubesOS/qubes-issues/issues/1892))
Perhaps do not modify environment variables for applications launched from Tor Browser?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/4763TorBrowser remembers location of last locally-opened file: "File > Open File ...2022-11-30T16:45:12ZcypherpunksTorBrowser remembers location of last locally-opened file: "File > Open File ..."This seems like less-than-ideal behavior.
Ex., TBB is used as the local Tor, Vidalia and browser by Alice, on her computer. However, Bob also has access to Alice's computer because they live together. Alice was looking at a local file ...This seems like less-than-ideal behavior.
Ex., TBB is used as the local Tor, Vidalia and browser by Alice, on her computer. However, Bob also has access to Alice's computer because they live together. Alice was looking at a local file she doesn't want Bob to see, but Bob does see the file when he too uses TBB as the local Tor, Vidalia and browser. Of course, Bob found the local file by mistake when he was trying to open a different local file.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25872When Clicking more information when visiting a V3 onion some of the buttons a...2022-11-30T16:39:10ZTracWhen Clicking more information when visiting a V3 onion some of the buttons are cut offWhen Clicking more information when visiting a V3 onion some of the buttons are cut off.
1. go to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
2. click the "!" next to the URL and click ">" then click more inform...When Clicking more information when visiting a V3 onion some of the buttons are cut off.
1. go to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
2. click the "!" next to the URL and click ">" then click more information.
3.The "View cookies" and "View saved passwords" buttons are cut off.
I attached a photo showing the buttons cut off.
Tor Browser 7.5.3
**Trac**:
**Username**: Dbryrtfbcbhgfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40464Cannot add .onion search engine when equivalent clearnet is present2022-11-30T16:17:05ZbtdmasterCannot add .onion search engine when equivalent clearnet is presentAdding e.g. https://search.snopyta.org/ as a search engine prevents its .onion equivalent from being added, http://yra4tke2pwcnatxjkufpw6kvebu3h3ti2jca2lcdpgx3mpwol326lzid.onion/, and there is no notification to the user for the cause of...Adding e.g. https://search.snopyta.org/ as a search engine prevents its .onion equivalent from being added, http://yra4tke2pwcnatxjkufpw6kvebu3h3ti2jca2lcdpgx3mpwol326lzid.onion/, and there is no notification to the user for the cause of this issue; the 'Add Search Engine' option is completely absent and there is no practical way of knowing that this is the cause for the issue from the user's perspective.
The workaround is to remove the clearnet search engine manually and then add the .onion version.
This is important not only because adding the .onion version avoids clearnet connections but also because when enabling redirects from clearnet to .onion POST requests are lost, so searx is not only less private but practically useless as it redirects to the .onion with the search parameters lost.