The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-07-16T10:30:18Zhttps://gitlab.torproject.org/tpo/core/tor/-/issues/32511Add features improving onion services' interaction with Tor.2022-07-16T10:30:18ZTracAdd features improving onion services' interaction with Tor.Tor lacks features allowing onion services' interaction with it, mainly because it is a tunneling protocol, not an application layer protocol. I think this aspect of Tor should be addressed more.
I suggest three directives that can impr...Tor lacks features allowing onion services' interaction with it, mainly because it is a tunneling protocol, not an application layer protocol. I think this aspect of Tor should be addressed more.
I suggest three directives that can improve onion services' interaction with Tor.
1. HiddenServiceExportRendPoint
With HiddenServiceExportCircuitID and this directive enabled, Tor exports IP and port of rendezvous point, along with the circuit ID, to the onion service. With this, operators can easily aggregate, analyze and monitor their services' rendezvous point connections.
2. HiddenServiceExportInstanceID
With HiddenServiceExportCircuitID and this directive enabled, Tor exports a user-provided instance ID, along with the circuit ID, to the onion service. With this, operators running multiple instances of Tor can accurately differentiate traffics with the same circuit ID. Fixes legacy/trac#32428.
3. HiddenServiceEnableClosingCircuit
This might be controversial because this feature exclusively targets the HTTP application protocol, and I know there are ways to close a circuit using the control protocol. But it's nearly impossible and too much error-prone to implement it in real environments.
With this directive enabled, when onion services' backend returns an HTTP status code of 447, it marks the circuit to be closed. It's lightweight, straightforward and easy to configure.
I've crudely implemented them. Please feel free to leave ideas or comments below.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31978Support use of policies.json2022-07-13T08:50:38ZsegfaultSupport use of policies.jsonAt Tails, we are currently having trouble porting our customizations for Tor Browser 9. What would really help is the functionality of policies.json. I see that you add support for using policies.json with Tor Browser in legacy/trac#2944...At Tails, we are currently having trouble porting our customizations for Tor Browser 9. What would really help is the functionality of policies.json. I see that you add support for using policies.json with Tor Browser in legacy/trac#29445, but then reverted that fix in legacy/trac#29916.
In legacy/trac#29916#comment:7 and legacy/trac#29916#comment:8, you state that setting `browser.policies.testing.disallowEnterprise=true` should be enough to fix legacy/trac#29916. So would it be possible to reintroduce the fix for legacy/trac#29445, so that we can set `browser.policies.testing.disallowEnterprise=false` in Tails and make use of the policies.json?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22000update OSX browser sandbox profile for e10s2022-07-12T23:33:44ZKathleen Bradeupdate OSX browser sandbox profile for e10sFor compatibility with e10s, the TB.sb file needs to be updated to allow creation of content processes.For compatibility with e10s, the TB.sb file needs to be updated to allow creation of content processes.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23134Switch circuits after REASON=DESTROY instead of showing the Firefox error pag...2022-07-12T22:31:54ZcypherpunksSwitch circuits after REASON=DESTROY instead of showing the Firefox error page immediatelyWhen
```
[08-07 15:04:27] Torbutton INFO: controlPort >> 650 STREAM 1201 FAILED 276 trac.torproject.org:443 REASON=DESTROY
```
Tor Browser immediately gives standard:
Unable to connect
Firefox can’t establish a connection to the server...When
```
[08-07 15:04:27] Torbutton INFO: controlPort >> 650 STREAM 1201 FAILED 276 trac.torproject.org:443 REASON=DESTROY
```
Tor Browser immediately gives standard:
Unable to connect
Firefox can’t establish a connection to the server at trac.torproject.org.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Tor Browser is permitted to access the Web.
Try Againhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22770Cookie protections dialog cannot delete cookies after upgrade2022-07-12T22:18:20ZpastlyCookie protections dialog cannot delete cookies after upgradeThe following is originally reported by someone with an offsensive username. The person reports using XP SP3. It is unclear whether or not he still has unsupported addons or modifications to cache/history settings.
-----
-----
Cookie ...The following is originally reported by someone with an offsensive username. The person reports using XP SP3. It is unclear whether or not he still has unsupported addons or modifications to cache/history settings.
-----
-----
Cookie protections dialog cannot delete cookies after I upgraded TorBrowser and restarted it.
1. Had TorBrowser 6.5.x (running)
2. Updated to 7.0.1
3. Killed TorBrowser process
4. Started TorBrowser (7.0.1)
5. Tabs got recovered (NOTE: for some reason didn't show me tab recovery dialog)
6. Now when I use Cookie protections dialog, I click to delete cookies, but when I click OK and close dialog, all cookies are still there!!! I reopen Cookie protections dialog and they are still in. They aren't protected but behave like they were.
7. When I open Tools->Options->Privacy->cookies, I can properly delete cookies from there.
I haven't restart browser yet so don't know if it happens after restart.
It's critical privacy bug. You think you deleted cookies so you reload page with new circuit, but in fact, you are using your old cookies and they will know it's same person. They will link your two accounts.
Also, when I click to protect or unprotect cookie in the dialog, and click OK, it gets saved. When I reopen dialog I see that it's saved what I protected. But cannot delete cookies.
-----
Finally, I restarted TorBrowser (7.0.1). It's still broken, restart doesn't help.
-----
The save image/page bugs were indeed fixed by updating old addons, but I noticed this cookie bug is still present, so I reopen it.
As said initially, marking cookies as protected/unprotected works correctly, but it's not possible to delete cookies (they are deleted from dialog but reappear when you open it again). Deleting cookies from Tools->Options->Privacy->Cookies works totally fine.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40056ensure that lazy <img> loading does not add a fingerprinting vector2022-07-12T16:53:53ZMark Smithensure that lazy <img> loading does not add a fingerprinting vectorFrom #33534: Firefox 75 added support for the `loading` attribute of HTML `<img>` elements. This string value can be used to specify that the image should be lazily loaded, by setting its value to `lazy`. This could allow sites to track ...From #33534: Firefox 75 added support for the `loading` attribute of HTML `<img>` elements. This string value can be used to specify that the image should be lazily loaded, by setting its value to `lazy`. This could allow sites to track a user's scrolling behavior and use it for fingerprinting. Maybe that is OK since:
1. Similar tracking is already possible via other mechanisms when JavaScript is enabled.
2. The lazy loading feature is supposedly disabled when JavaScript is disabled.
We should confirm.
https://bugzilla.mozilla.org/show_bug.cgi?id=1542784 \
"Support `<img loading="lazy">` lazy-loading"https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15532Tor Browser 4.5 displays signature validation error during update2022-07-09T21:55:01ZMike PerryTor Browser 4.5 displays signature validation error during updateI suspect this is due to the fact that we allow an update to proceed if it is signed with either my mar signing key or gk's mar signing key, but nonetheless TBB 4.5 displays two error messages while updating on Linux:
"ERROR: Error verif...I suspect this is due to the fact that we allow an update to proceed if it is signed with either my mar signing key or gk's mar signing key, but nonetheless TBB 4.5 displays two error messages while updating on Linux:
"ERROR: Error verifying signature"
"ERROR: Not all signatures were verified".
We should ensure the signature validation behavior is actually correct, and if so remove these error messages for the stable release.https://gitlab.torproject.org/tpo/core/tor/-/issues/27066circuit_build_times_update_alpha(): Bug: Could not determine largest build time2022-07-09T17:35:22ZTraccircuit_build_times_update_alpha(): Bug: Could not determine largest build timeThis bug occurs only when v3 hidden services are activated (4 hours after activation v3 services). This was my second test of v3 services and this issue repeated again. Server was running aprox.150 v3 domains.
After below warnings, all ...This bug occurs only when v3 hidden services are activated (4 hours after activation v3 services). This was my second test of v3 services and this issue repeated again. Server was running aprox.150 v3 domains.
After below warnings, all hidden services stoped working.
Could be related to legacy/trac#25733.
```
Aug 07 04:45:49.000 [warn] circuit_build_times_update_alpha(): Bug: Could not determine largest build time (0). Xm is 7525ms and we've abandoned 996 out of 1000 circuits. (on Tor 0.3.3.9 )
Aug 07 04:45:49.000 [warn] circuit_build_times_update_alpha(): Bug: Could not determine largest build time (0). Xm is 7525ms and we've abandoned 997 out of 1000 circuits. (on Tor 0.3.3.9 )
Aug 07 04:45:49.000 [warn] circuit_build_times_update_alpha(): Bug: Could not determine largest build time (0). Xm is 7525ms and we've abandoned 998 out of 1000 circuits. (on Tor 0.3.3.9 )
Aug 07 04:45:49.000 [warn] circuit_build_times_update_alpha(): Bug: Could not determine largest build time (0). Xm is 7525ms and we've abandoned 999 out of 1000 circuits. (on Tor 0.3.3.9 )
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
Aug 07 04:45:49.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 7521.000000ms
...........
```
**Trac**:
**Username**: cstesthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40593Disable SpeechSynthesis in Safer level2022-07-08T23:39:35ZcypherpunksDisable SpeechSynthesis in Safer levelLatest issues about SpeechSynthesis on Tor Project Gitlab are outdated.
Please check the situation again.Latest issues about SpeechSynthesis on Tor Project Gitlab are outdated.
Please check the situation again.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40575Tor Browser steals focus during launch2022-07-08T23:33:45ZcypherpunksTor Browser steals focus during launchTor Browser: 10.5.2
OS: Linux
When about:torconnect page finishes and browser launches the home page (in my case a local file), it steals the application focus from the active application. I cannot type a command into the terminal, beca...Tor Browser: 10.5.2
OS: Linux
When about:torconnect page finishes and browser launches the home page (in my case a local file), it steals the application focus from the active application. I cannot type a command into the terminal, because Tor is doing initialization???!!! Seriously?
Tested with MATE desktop environment and i3 window manager.
It would be easy to say that the "new UX for connecting to tor" is to blame[1], but my experience says it just made the bug apparent.
[1] https://blog.torproject.org/improving-ux-connecting-to-tor-105https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40338Tor Browser complains of potential security risk ahead for valid certificate,...2022-07-08T23:13:33Zf9424ec9fd944a20Tor Browser complains of potential security risk ahead for valid certificate, unable to accept risk and continueTor Browser version 10.0.10 on Manjaro Linux
When trying to visit a specific https:// site Tor Browser displays page "Warning: Potential Security Risk Ahead".
The links on this page, "Learn more…", "Go Back", do nothing. Clicking "Adva...Tor Browser version 10.0.10 on Manjaro Linux
When trying to visit a specific https:// site Tor Browser displays page "Warning: Potential Security Risk Ahead".
The links on this page, "Learn more…", "Go Back", do nothing. Clicking "Advanced" reveals another link "Accept the Risk and Continue" which does nothing.
In previous Tor Browser versions I was able to "Accept the Risk and Continue", but this no longer works.
Other browsers such as Firefox and Chromium do not complain about a potential security risk when visiting the same site.
The certificate appears valid an not self signed.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30832Fix tor-browser tbb-tests2022-07-08T23:11:04ZAlex CatarineuFix tor-browser tbb-testsWith current rebased tor-browser ESR68 branch I can only run tbb-tests (with `run-tbb-tests` script) when `pref("network.file.path_blacklist", "/net")` is removed and `pref("extensions.torbutton.use_nontor_proxy", true);` is set, apart f...With current rebased tor-browser ESR68 branch I can only run tbb-tests (with `run-tbb-tests` script) when `pref("network.file.path_blacklist", "/net")` is removed and `pref("extensions.torbutton.use_nontor_proxy", true);` is set, apart from disabling tor-launcher. The second pref disables the domain isolator, which makes sense since it expects SOCKS5 proxies, but mochitests override that. For the other pref, not sure why `network.file.path_blacklist` needs to be unset (at least for Linux).
We could put these prefs in `testing/marionette/prefs/marionette.js` so that tests can be run (unless there is a simpler way to get the tests tor run that I'm missing).Tor Browser: 10.5https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23704Tor Browser seems to remember tabs *at the very moment* of a new available ve...2022-06-25T17:06:21ZTracTor Browser seems to remember tabs *at the very moment* of a new available versionHi,
Sorry if this is a duplicate, I tried to give a look but didn't find anything.
And sorry for the weird title, couldn't find anything better...
I'm not sure exactly what happened, but here is, in order, what I did/saw:
- open tor br...Hi,
Sorry if this is a duplicate, I tried to give a look but didn't find anything.
And sorry for the weird title, couldn't find anything better...
I'm not sure exactly what happened, but here is, in order, what I did/saw:
- open tor browser (under debian stretch)
- open a few tabs
- "new identity"
- open some tabs
- "new identity"
- open some tabs
- close tor browser
- see a "new version available" window
- click on something like "yeay, let's upgrade" (maybe the upgrade *was done* and only a "restart" was expected)
- see tor browser starting and opening the tabs I had open some time ago (not the last "identity", but the first one)
Voilà.
I probably could give more details if needed.
Oh, also, I cannot say *when* that "Upgrade available" window appeared, I only saw it when I closed Tor Browser.
I think it's a privacy issue (the tabs are stored somewhere or whatever).
Thanks
**Trac**:
**Username**: gagzhttps://gitlab.torproject.org/tpo/core/tor/-/issues/26769We should make HSv3 desc upload less frequent2022-06-24T16:13:58ZGeorge KadianakisWe should make HSv3 desc upload less frequentWithout checking the source code right now, HSDirs are supposed to cache HS descriptors for the inscribed lifetime (3 hours), and HSv3s are supposed to upload descriptors at a random time between 1 and 2 hours (see `HS_SERVICE_NEXT_UPLOA...Without checking the source code right now, HSDirs are supposed to cache HS descriptors for the inscribed lifetime (3 hours), and HSv3s are supposed to upload descriptors at a random time between 1 and 2 hours (see `HS_SERVICE_NEXT_UPLOAD_TIME_MIN`).
This makes HSv3s upload descriptors more frequently than needed. For example, we could increase this to upload descriptors between 2 and 2.9 hours, to make HSv3s less intense on the network.
Someone should double check the above logic and make sure it won't cause issues, and implement it.https://gitlab.torproject.org/tpo/core/tor/-/issues/20007Sandbox causing crash when setting HidServAuth when there is a hidden service...2022-06-24T14:49:40ZsegfaultSandbox causing crash when setting HidServAuth when there is a hidden service runningWhen the sandbox is enabled and there is a hidden service configured, setting HidServAuth via SETCONF results in a permission error.
Steps to reproduce:
Start Tor with a hidden service:
```
/usr/bin/tor --defaults-torrc /usr/share/t...When the sandbox is enabled and there is a hidden service configured, setting HidServAuth via SETCONF results in a permission error.
Steps to reproduce:
Start Tor with a hidden service:
```
/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 --Log debug --CookieAuthentication 0 --Sandbox 1 --HiddenServiceDir /var/lib/tor/hidden_service/ --HiddenServicePort 80
```
Try setting HidServAuth via the control port:
```
echo "AUTHENTICATE
SETCONF HidServAuth=\"prkszpeygn2a3kxo.onion iGwsXkMwZEHuq/0YCD6IGQ\"" | nc -U /var/run/tor/control
```
Output:
```
250 OK
513 Unacceptable option value: Failed to configure rendezvous options. See logs for details.
```
Log:
```
Aug 27 15:31:55.000 [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied
Aug 27 15:31:55.000 [warn] Controller gave us config lines that didn't validate: Failed to configure rendezvous options. See logs for details.
```
If we start Tor without a hidden service or without the sandbox, it works without errors:
Without hidden service:
```
/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 --Log debug --CookieAuthentication 0 --Sandbox 1
```
or without sandbox:
```
/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 --Log debug --CookieAuthentication 0 --Sandbox 0 --HiddenServiceDir /var/lib/tor/hidden_service/ --HiddenServicePort 80
```
Set HidServAuth via the control port:
```
echo "AUTHENTICATE
SETCONF HidServAuth=\"prkszpeygn2a3kxo.onion iGwsXkMwZEHuq/0YCD6IGQ\"" | nc -U /var/run/tor/control
```
Output:
```
250 OK
250 OK
```https://gitlab.torproject.org/tpo/core/tor/-/issues/28849Handle dormant mode in process library and for PT's2022-06-24T14:12:53ZAlexander Færøyahf@torproject.orgHandle dormant mode in process library and for PT'sBug legacy/trac#28179 makes us able to handle PT processes better and read output from stdout/stderr, but with the recent dormant mode we should figure out this interaction works for PT's.
Especially on Windows this becomes a problem be...Bug legacy/trac#28179 makes us able to handle PT processes better and read output from stdout/stderr, but with the recent dormant mode we should figure out this interaction works for PT's.
Especially on Windows this becomes a problem because we will probably stop reading from stdout/stderr when Tor enters its dormant mode to disable the timer that ticks once a second.https://gitlab.torproject.org/tpo/tpa/team/-/issues/40811Access to shared tor browser build machine for anti-censorship team2022-06-24T07:59:30ZCecylia BocovichAccess to shared tor browser build machine for anti-censorship teamOnce upon a time, I had access to a machine shared with @tpo/applications at `build-sunet-a.torproject.net` for the purpose of doing tor browser builds. Does such a machine still exist? And is it possible to give someone from the anti-ce...Once upon a time, I had access to a machine shared with @tpo/applications at `build-sunet-a.torproject.net` for the purpose of doing tor browser builds. Does such a machine still exist? And is it possible to give someone from the anti-censorship team access to it since the need to do browser builds for the purpose of updating and adding new PTs occasionally comes up?anarcatanarcathttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26125Javascript's localStorage/sessionStorage is not working.2022-06-23T18:45:20ZcypherpunksJavascript's localStorage/sessionStorage is not working.To whom it may concern,
We're allowing Tor users to read our websites. We are using sessionStorage to save temporary information.
Unfortunatelly some Tor users reported us about Javascript error, and we downloaded your software to chec...To whom it may concern,
We're allowing Tor users to read our websites. We are using sessionStorage to save temporary information.
Unfortunatelly some Tor users reported us about Javascript error, and we downloaded your software to check their claim.
Steps to reproduce:
1. Open Tor Browser.
2. Open any website, such as this current page https://trac.torproject.org/projects/tor/newticket
3. Press [F12] key to open "Developer Tools" and click "Console".
4. Type "sessionStorage.length".
Result:
SecurityError: The operation is insecure.
It seems your browser's Storage API is broken.
We have no problems when we tried latest Mozilla Firefox and Google Chrome.
Result (Firefox 60):
0
Please fix your browser to meet Mozilla's default standard.
--
Rick W.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21224Youtube fullscreen errorr in TBB fullscreen mode on MacOS 10.122022-06-22T15:56:57ZTracYoutube fullscreen errorr in TBB fullscreen mode on MacOS 10.12Since the window resizing logic was updated in the 6.5 alphas there is a problem with fullscreen videos on Youtube.
I'm on a fully up to date MacOS Sierra installation and when I put the Tor Browser in the native Mac fullscreen mode and ...Since the window resizing logic was updated in the 6.5 alphas there is a problem with fullscreen videos on Youtube.
I'm on a fully up to date MacOS Sierra installation and when I put the Tor Browser in the native Mac fullscreen mode and then put a Youtube video in fullscreen from that window it only shows in a small rectangle in the upper left corner of the screen.
Other websites with video players don't have this problem.
When I take Tor Browser back out of its fullscreen mode then the Youtube video works fullscreen as normal again but it seems it is overlaying the window and not using the native Mac fullscreen apis.
I can make a screenshot if necessary but it should be easily reproducible.
**Trac**:
**Username**: exattohttps://gitlab.torproject.org/tpo/network-health/depictor/-/issues/16The x-axis on the graphs is not updating past 06/15/20222022-06-22T15:50:48ZGeorg KoppenThe x-axis on the graphs is not updating past 06/15/2022It seems the x-axis is stuck on 06/15/2022. I am not exactly sure whether it's just this "cosmetic" issue or whether actually the graphs stop at that date as well.It seems the x-axis is stuck on 06/15/2022. I am not exactly sure whether it's just this "cosmetic" issue or whether actually the graphs stop at that date as well.Tom Rittertom@ritter.vgTom Rittertom@ritter.vg