The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2021-07-29T06:45:35Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15535Window unstable2021-07-29T06:45:35ZTracWindow unstableNew to 4.5a5, did not occur in 4.5a4:
Tor Browser window frantically resizes sometimes. For instance, if I try to resize the window, it oscillates between two sizes for a few seconds, until stabilizing. Sometimes it uses the new size a...New to 4.5a5, did not occur in 4.5a4:
Tor Browser window frantically resizes sometimes. For instance, if I try to resize the window, it oscillates between two sizes for a few seconds, until stabilizing. Sometimes it uses the new size and sometimes it reverts to the current size.
Also, the window has been observed to follow me across desktops. I change desktops and after about a second the Tor Browser window appears.
Using Debian 7 with XFCE.
**Trac**:
**Username**: bernie.allenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15533'restore defaults' on the security slider puts me at high security2020-06-27T14:41:00ZRoger Dingledine'restore defaults' on the security slider puts me at high securityWhen I start my shiny new Tor Browser 4.5a5, it suggests that I open the slider, so I do. Then I move it from 'low' to 'medium' to see what it does. Then I click 'restore defaults', and voila, now I'm at high security!
This is unlikely ...When I start my shiny new Tor Browser 4.5a5, it suggests that I open the slider, so I do. Then I move it from 'low' to 'medium' to see what it does. Then I click 'restore defaults', and voila, now I'm at high security!
This is unlikely to be what we meant by the defaults.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15532Tor Browser 4.5 displays signature validation error during update2022-07-09T21:55:01ZMike PerryTor Browser 4.5 displays signature validation error during updateI suspect this is due to the fact that we allow an update to proceed if it is signed with either my mar signing key or gk's mar signing key, but nonetheless TBB 4.5 displays two error messages while updating on Linux:
"ERROR: Error verif...I suspect this is due to the fact that we allow an update to proceed if it is signed with either my mar signing key or gk's mar signing key, but nonetheless TBB 4.5 displays two error messages while updating on Linux:
"ERROR: Error verifying signature"
"ERROR: Not all signatures were verified".
We should ensure the signature validation behavior is actually correct, and if so remove these error messages for the stable release.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15527Branding issue: Error page mentions firefox2020-06-27T14:41:00ZSebastian HahnBranding issue: Error page mentions firefoxHi, I'm not sure what the policy is on this, but when going to a nonexistent webserver Tor Browser says in its error message "Firefox can't establish a connection to the server at [...]". Is this supposed to be this way?Hi, I'm not sure what the policy is on this, but when going to a nonexistent webserver Tor Browser says in its error message "Firefox can't establish a connection to the server at [...]". Is this supposed to be this way?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15526ES6 page crashes Tor Browser2020-06-27T14:41:01ZTracES6 page crashes Tor BrowserTor Browser 4.5a4 on Linux amd64 crashes on this page:
http://kangax.github.io/compat-table/es6/
The following error is shown after the crash:
Tor exited abnormally. Exit code: 139
**Trac**:
**Username**: ogiTor Browser 4.5a4 on Linux amd64 crashes on this page:
http://kangax.github.io/compat-table/es6/
The following error is shown after the crash:
Tor exited abnormally. Exit code: 139
**Trac**:
**Username**: ogihttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15514Trim the NoScript whitelist2022-07-09T21:54:45ZMike PerryTrim the NoScript whitelistThe NoScript whitelist currently allows blob: URLs, all about: URLs, and chrome: URLs.
We definitely want to remove blob: URLs, because of legacy/trac#15502. We also don't appear to need chrome: URLs, and Giorgio recommends we remove th...The NoScript whitelist currently allows blob: URLs, all about: URLs, and chrome: URLs.
We definitely want to remove blob: URLs, because of legacy/trac#15502. We also don't appear to need chrome: URLs, and Giorgio recommends we remove the blanket allow on about: URLs in favor of a the list of specific about urls we know we need.
We do need resource: urls for pdf.js though. For some reason, the cascading permissions does not properly allow them in pdf.js when you click "Temporarily allow all this page".
Unfortunately, updating this list is not easy. We need to push an update in extension-overrides.js to set 'noscript.mandatory' and 'noscript.default', but that will not affect 'capability.policy.maonoscript.sites' for people who upgrade. Hence we need to add one-time code to Torbutton that removes the extra schemes from 'capability.policy.maonoscript.sites' and sets a pref so it doesn't do it again.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15510The controller for the circuit-display is not stopped on New Identity2020-06-27T14:41:01ZGeorg KoppenThe controller for the circuit-display is not stopped on New IdentityIf one hits New Identity n times during then one gets essentially n controller instances talking to tor as they are not stopped on windows unload.If one hits New Identity n times during then one gets essentially n controller instances talking to tor as they are not stopped on windows unload.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15502URL.createObjectURL() considered harmful2020-06-27T14:41:01ZMike PerryURL.createObjectURL() considered harmfulBlobs are a mechanism for creating temporary files that live in the browser and can optionally be assigned a random GUID that can be accessed via the blob: scheme.
Unfortunately, this has several bad consequences for TBB:
1. blob: URIs ...Blobs are a mechanism for creating temporary files that live in the browser and can optionally be assigned a random GUID that can be accessed via the blob: scheme.
Unfortunately, this has several bad consequences for TBB:
1. blob: URIs are whitelisted in NoScript
2. blob: URIs survive New Identity
3. blob: URIs are not isolated by top-level domain
I think this is tricky to exploit to get arbitrary scripts to run, because you already need scripts enabled to create these things. They are also not great to use as a tracking vector, because the GUID you get is randomly assigned.
However, they still deeply concern me because if you want to keep track of a short list of users, you can create blob uris for them, record those GUIDS, and cycle through this list of GUIDs for every user who visits any site.
Here's an example blob URI creation script that gives you a blob uri that you can throw in the URL bar. It will then execute scripts (pop up an alert) even if you have instructed NoScript to disable scripts globally:
https://people.torproject.org/~mikeperry/transient/tests/blob-uri-creation.html
You can also use the resulting URI to test and see that it survives New Identity.
This ticket probably needs several child tickets to deal with the various issues here. Or we could just simply drop support for the URI feature of the Blob APIs. It seems rather obscure and unnessary, since you can use these things as normal JS objects just fine without them being URIs.Arthur EdelsteinArthur Edelsteinhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15499Onion sites circuits are not properly isolated to URL bar domain2022-07-09T21:54:28ZGeorg KoppenOnion sites circuits are not properly isolated to URL bar domainAs mentioned on IRC, s7r's test case and results are:
```
I have setup an .onion which loads an image from another onion. it creates 2
circuits but it's smart enough when I access the second onion where the
resources are loaded from, i...As mentioned on IRC, s7r's test case and results are:
```
I have setup an .onion which loads an image from another onion. it creates 2
circuits but it's smart enough when I access the second onion where the
resources are loaded from, it uses the same circuit used to load the resources initially.
```
This seems not the thing we want. As mikeperry noted we want to have the access to the second onion over a different circuit than loading the resources while accessing onion 1.
This might actually require a Tor patch (too).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15495Delete CNNIC Root in default please2020-06-27T14:41:01ZTracDelete CNNIC Root in default pleaseMan-in-the-middle Attacks Enabled by CNNIC.CNNIC belongs to Chinese government,and China is a totalitarian country.
**Trac**:
**Username**: cautionMan-in-the-middle Attacks Enabled by CNNIC.CNNIC belongs to Chinese government,and China is a totalitarian country.
**Trac**:
**Username**: cautionhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15493Redirects sometimes seem to break circuit status UI2020-06-27T14:41:02ZMike PerryRedirects sometimes seem to break circuit status UIIf you go to https://bugs.torproject.org, you will be redirected to https://trac.torproject.org, and in some cases the circuit status UI will not display a circuit for you. It seems that even subsequent visits to trac.torproject.org will...If you go to https://bugs.torproject.org, you will be redirected to https://trac.torproject.org, and in some cases the circuit status UI will not display a circuit for you. It seems that even subsequent visits to trac.torproject.org will not display a circuit. Others have reported similar issues with google.com country redirects.
This happens with TBB 4.5a5, but is not reliably reproducible. Sometimes the UI actually displays a circuit after the redirect.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15491Windows: silent failure if no permission to apply update2020-06-27T14:41:02ZMark SmithWindows: silent failure if no permission to apply updateFor legacy/trac#15201, we disabled the updater code that attempted to use "runas" to gain administrator privileges when the user lacked permission to apply an update. When we tested the fix, no user-visible error was displayed. Ideally, ...For legacy/trac#15201, we disabled the updater code that attempted to use "runas" to gain administrator privileges when the user lacked permission to apply an update. When we tested the fix, no user-visible error was displayed. Ideally, an error message would be displayed (although given the standalone nature of our installation, it is very difficult for this situation to occur).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15473JS Date object reveals OS type2020-06-27T14:41:02ZArthur EdelsteinJS Date object reveals OS typeCalls like new Date().toLocaleFormat() produce different Date formatting, depending on the platform.
Results from mcs, calling `[new Date().toLocaleFormat(), new Date().toLocaleString()]`:
> Ubuntu:
> `Array [ "Thu 26 Mar 2015 03:43:35...Calls like new Date().toLocaleFormat() produce different Date formatting, depending on the platform.
Results from mcs, calling `[new Date().toLocaleFormat(), new Date().toLocaleString()]`:
> Ubuntu:
> `Array [ "Thu 26 Mar 2015 03:43:35 PM EDT", "3/26/2015, 3:43:35 PM" ]`
> OSX:
> `Array [ "Thu Mar 26 15:38:55 2015", "3/26/2015, 3:38:55 PM" ]`
> Windows 7:
> `Array [ "Thursday, March 26, 2015 3:45:01 PM", "3/26/2015, 3:45:01 PM" ]`https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15472Circuit on circuit display is hardly readable on Xubuntu2020-06-27T14:41:02ZGeorg KoppenCircuit on circuit display is hardly readable on XubuntuThe circuit display is hardly readable if I look at it on an Xubuntu machine. See attached screenshot.The circuit display is hardly readable if I look at it on an Xubuntu machine. See attached screenshot.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15470cannot edit the certificates in Tor browser,2022-06-15T02:49:44ZTraccannot edit the certificates in Tor browser,I still cannot edit the certificates in Tor browser,please fix it as soon as possible!
One more thing: why not consider to delete CNNIC Root in default?
"On Friday, March 20th, we became aware of unauthorized digital certificates for se...I still cannot edit the certificates in Tor browser,please fix it as soon as possible!
One more thing: why not consider to delete CNNIC Root in default?
"On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC "
CNNIC belongs to Chinese government,and China is a totalitarian country.CNNIC Root and other Chinese certificate cannot be trusted by anyone!
**Trac**:
**Username**: dark ghosthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15460FTP requests are not isolated to first party domain2020-06-27T14:41:02ZGeorg KoppenFTP requests are not isolated to first party domainWhile looking at Torbutton patches Mike committed last night I realized we are not isolating FTP requests to the URL bar domain. This does not only lead to top level FTP requests not showing up in the circuit display but rather to all em...While looking at Torbutton patches Mike committed last night I realized we are not isolating FTP requests to the URL bar domain. This does not only lead to top level FTP requests not showing up in the circuit display but rather to all embedded FTP requests sent over the default circuit. I fear there are quite a number of risks involved in this design that give a malicious website(s) ample chances to correlate user traffic at least.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15456Prevent incremental updates from failing for Linux hackers2022-06-15T02:48:40ZMike PerryPrevent incremental updates from failing for Linux hackersWhile working on Bug legacy/trac#13375, I realized that people who hack up their TBB startup scripts are going to download the full MAR update if the incremental tries to change one of the startup scripts that they have modified. This ma...While working on Bug legacy/trac#13375, I realized that people who hack up their TBB startup scripts are going to download the full MAR update if the incremental tries to change one of the startup scripts that they have modified. This may end up being a waste of bandwidth, depending on how commonly we push updates to these scripts, and how common it is that users modify them.
Originally, I was going to try to sneak this in to 4.5a5, but I am now convinced that it is too risky for an uncertain amount of improvement.
We should instead keep an eye on how often Linux users tend to download the full TBB MAR as opposed to the incremental, and if we notice a spike for instances where we have updated these files, then we should perform this optimization.
We can start by counting the fraction of Linux users download the full MAR for 4.5a5 (where the start-tor-browser script did change) and compare that to the fraction of Linux users who downloaded the full MAR for 4.5a1-4 (where the start-tor-browser script did not change). If there is a huge difference, we can consider trying to deploy this change.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15450Tor Browser should detect CloudFlare's rejection for referenced domains2022-06-15T02:46:59ZTracTor Browser should detect CloudFlare's rejection for referenced domainsSometimes I can access "example.com", but CloudFlare wants captcha for "files.example.com" or "status.example.com". This leads to a broken page without styles, scripts and pictures.
I need to turn on Developer Tools -> Networking in ord...Sometimes I can access "example.com", but CloudFlare wants captcha for "files.example.com" or "status.example.com". This leads to a broken page without styles, scripts and pictures.
I need to turn on Developer Tools -> Networking in order to detect CloudFlare's 403 replies. When I open those domains explicitly and enter the captcha, the original page starts working correctly.
It would be nice to make it more automatic.
Original discussion: https://tor.stackexchange.com/questions/6277
**Trac**:
**Username**: anonymous2https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15448Upgrade go to 1.4.22020-06-27T14:41:03ZDavid Fifielddcf@torproject.orgUpgrade go to 1.4.2We're on 1.3.3 now. Here are the release notes for 1.4.2.
https://golang.org/doc/devel/release.html#go1.4We're on 1.3.3 now. Here are the release notes for 1.4.2.
https://golang.org/doc/devel/release.html#go1.4https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15443decompression bomb2022-06-15T02:46:05ZTracdecompression bombA malicious exit node could inject decompression bombs into most http traffic, and thus cause great annoyance to Tor Browser users. In that regard they're a more severe issue than for Firefox itself, since there's a relatively easy way t...A malicious exit node could inject decompression bombs into most http traffic, and thus cause great annoyance to Tor Browser users. In that regard they're a more severe issue than for Firefox itself, since there's a relatively easy way to affect many users at once.
This is somewhat a duplicate of
https://trac.torproject.org/projects/tor/ticket/1618
**Trac**:
**Username**: ousado