The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-08-30T15:20:06Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41862Old torbutton + torlauncher prefs cleanup2023-08-30T15:20:06ZPier Angelo VendrameOld torbutton + torlauncher prefs cleanupWith the torbutton and torlauncher cleanup, we could need to delete user preferences that aren't used anymore and could leak old habits.With the torbutton and torlauncher cleanup, we could need to delete user preferences that aren't used anymore and could leak old habits.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22137Provide the same scrollbar size across different platforms + versions (and su...2023-11-04T00:31:22ZGeorg KoppenProvide the same scrollbar size across different platforms + versions (and subpixel entropy)Scrollbar sizes are different on different platforms. But it seems that there are ways to split the Linux users into different buckets based on that: On a Debian Stretch system with XFCE I get 15px thickness on an Ubuntu 14.04 system wit...Scrollbar sizes are different on different platforms. But it seems that there are ways to split the Linux users into different buckets based on that: On a Debian Stretch system with XFCE I get 15px thickness on an Ubuntu 14.04 system with GNOME I get 13px thickness.
A test can be found on http://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html.
One option mentioned in that blog post would be to provide 17px on all platforms.Sponsor 131 - Phase 3 - Major ESR 102 Migrationhenryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41486WebRTC bugs/issues/broken features2023-06-01T17:13:52ZMarco SimonelliWebRTC bugs/issues/broken featuresMain ticket to track issues with WebRTC functionality/testsMain ticket to track issues with WebRTC functionality/testsSponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41656Site info panel for internal pages is misaligned vs the identity block2023-06-01T17:13:43ZdonutsSite info panel for internal pages is misaligned vs the identity blockSee this screenshot for reference:
![identity-block-internal-resource](/uploads/4833fe0b4d0eaf339fb485b3489bb25b/identity-block-internal-resource.png)
It should be aligned to the left of the identity block instead. Curiously, this seem...See this screenshot for reference:
![identity-block-internal-resource](/uploads/4833fe0b4d0eaf339fb485b3489bb25b/identity-block-internal-resource.png)
It should be aligned to the left of the identity block instead. Curiously, this seems to only be affecting internal pages – and external pages are fine.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40057ensure that CSS4 system colors are not a fingerprinting vector2023-06-01T17:13:29ZMark Smithensure that CSS4 system colors are not a fingerprinting vectorFrom #33534: Firefox 76 added support for CSS4 system colors. It looks like these were not added to https://searchfox.org/mozilla-central/source/widget/nsXPLookAndFeel.cpp#534 (`GetStandinForNativeColor()`). We should test the behavior a...From #33534: Firefox 76 added support for CSS4 system colors. It looks like these were not added to https://searchfox.org/mozilla-central/source/widget/nsXPLookAndFeel.cpp#534 (`GetStandinForNativeColor()`). We should test the behavior and consider updating the system colors to Windows 10 and MacOS 10.10.x.
https://bugzilla.mozilla.org/show_bug.cgi?id=1590894 \
"Need to support CSS4 system colors"Sponsor 131 - Phase 2 - Privacy BrowserDan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40569Should we exclude more remote settings?2023-06-01T17:13:19ZMatthew FinkelShould we exclude more remote settings?Mozilla added a some more (`services/settings/dumps/main/moz.build`).Mozilla added a some more (`services/settings/dumps/main/moz.build`).Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41744Scheme Flood attack still possible2023-06-01T16:57:48ZTom Rittertom@ritter.vgScheme Flood attack still possibleI applied the patch posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1711084 but it didn't resolve the issue.
Original MR: https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/138I applied the patch posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1711084 but it didn't resolve the issue.
Original MR: https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/138https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40926Make use of the Drone CI public GPG key for Mullvad Browser sha256sum verific...2023-11-02T10:47:48ZjbjorkangMake use of the Drone CI public GPG key for Mullvad Browser sha256sum verificationThe GPG public key for Drone, [located here](https://se-got-releases-001.devmole.eu/hashes/public-keys/) should be used in place of any other public GPG keys for verification of the hashes uploaded.The GPG public key for Drone, [located here](https://se-got-releases-001.devmole.eu/hashes/public-keys/) should be used in place of any other public GPG keys for verification of the hashes uploaded.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40912Update mar-tools version in tools/signing/nightly/config.yml and projects/mar...2023-08-21T16:58:30ZboklmUpdate mar-tools version in tools/signing/nightly/config.yml and projects/mar-tools/configAfter a version including #40829 has been released (changing the
filename of mar-tools zip), we should update the `martools_version` in
`tools/signing/nightly/config.yml`, and checkout the new commit on
`tbb-nightlies-master.torproject.o...After a version including #40829 has been released (changing the
filename of mar-tools zip), we should update the `martools_version` in
`tools/signing/nightly/config.yml`, and checkout the new commit on
`tbb-nightlies-master.torproject.org`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41788investigate `ui.textScaleFactor` + `browser.display.os-zoom-behavior`2023-11-01T20:55:24ZThorininvestigate `ui.textScaleFactor` + `browser.display.os-zoom-behavior`pretty sure it landed in FF102
- FF104: [1777902](https://bugzilla.mozilla.org/show_bug.cgi?id=1777902) don't change the size of system fonts when ui.textScaleFactor is set
- something to read : https://www.askvg.com/fix-ui-scaling-and-l...pretty sure it landed in FF102
- FF104: [1777902](https://bugzilla.mozilla.org/show_bug.cgi?id=1777902) don't change the size of system fonts when ui.textScaleFactor is set
- something to read : https://www.askvg.com/fix-ui-scaling-and-large-fonts-issues-in-firefox-103-and-later-versions/#problem_solution
I don't know the reason or purpose behind this, or `browser.display.os-zoom-behavior` ... just another couple of variables to go with default zoom, zoom text, system scaling, dpi, device pixel ratio, layout.css.devPixelsPerPx
I tested it in FF and it affects newwin e.g. at 110 it opens larger but the inner windows (sans LBing) is out by many pixels. I didn't test LBing, sorry, just making a quick issue to follow up on in alpha 13 - when we can use @ma1 's patches
Without wanting to hamper accessibility, I think we need to look at locking most of these down - IIUIC users should be using system scalinghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41789A lot amount NS_ERROR_NOT_AVAILABLE exception when the Browser Console window...2023-06-09T12:03:02ZcypherpunksA lot amount NS_ERROR_NOT_AVAILABLE exception when the Browser Console window is opening and use the NewIdentity function.A lot amount NS_ERROR_NOT_AVAILABLE exception when the Browser Console window is opening and use the NewIdentity function.
reproduce:
1. First open the Browser Console window(Ctrl+Shift+J)(this step is important, otherwise you just s...A lot amount NS_ERROR_NOT_AVAILABLE exception when the Browser Console window is opening and use the NewIdentity function.
reproduce:
1. First open the Browser Console window(Ctrl+Shift+J)(this step is important, otherwise you just see a very few errors(I don't know whether those very few errors are important or nothing)) and input the 'newidentity' to the filter box.
2. Use the NewIdentity function, you can see a few NS_ERROR_NOT_AVAILABLE errors.
3. Again use the NewIdentity function you can see obvious more NS_ERROR_NOT_AVAILABLE errors.
Environment information:12.0.6 (based on Mozilla Firefox 102.11.0esr) (32-bit) Linux Safest Level.
Error information:
``` [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://devtools/server/actors/targets/window-global.js :: get window :: line 422" data: no] window-global.js:422:5 ```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41767TTP-02-002 WP1: Redirect prevents switching to new Tor Circuit (Info)2024-03-12T12:05:59ZrichardTTP-02-002 WP1: Redirect prevents switching to new Tor Circuit (Info)>>>
## Description:
It was discovered that navigation initiated through the new Tor Circuit feature can be hijacked. This can be accomplished by redirecting the current website to a cached page immediately after the Tor Circuit switch st...>>>
## Description:
It was discovered that navigation initiated through the new Tor Circuit feature can be hijacked. This can be accomplished by redirecting the current website to a cached page immediately after the Tor Circuit switch starts. As a result, the attacker-initiated navigation occurs before the Tor Circuit's browser-initiated navigation and, subsequently, the next step is canceled.
An attacker could exploit this vulnerability to prevent users from switching circuits while browsing a malicious webpage. Although this prevents the user from changing their Tor Circuit, it was concluded that this does not pose any immediate security risk, and as such, the severity mark was appropriately set at Info.
## PoC:
```html
<?php header ("cache-control: max-age=604800") ;
header ("Age: 100"); 2>
<html>
<script>
let status = false;
onbeforeunload = () => {
status = true;
}
let timer = setInterval(() => {
if (status) {
status = false;
clearInterval (timer);
location.href = location.href;
}
}, 1);
</script>
</html>
```
## Steps to reproduce:
1. Open the Tor Browser and connect to it.
2. Save the PoC above as a PHP file and serve it through a PHP server.
3. Access the file a few times through the Tor Browser to make sure it gets cached by the browser.
4. Click on the **Tor Circuit** button and then on the** New Tor circuit for this site** option.
5. The page will quickly be reloaded but the Circuit will remain the same.
To mitigate this issue, Cure53 advises forcing the navigation initiated by the new **Tor Circuit** feature to be completed. Cancellation of a user-initiated navigation is ill-advised in this scenario. However, during the testing phase, the team was unable to pinpoint the specific code responsible for this issue. As a result, the mitigation advice provided is currently incomplete.
>>>https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41768TTP-02-005 WP1: Redirect to about:blank hides the new Tor Circuit button (Info)2023-10-19T14:33:23ZrichardTTP-02-005 WP1: Redirect to about:blank hides the new Tor Circuit button (Info)>>>
## Description:
It is possible to hide the **Tor Circuit** button from the address bar for a given tab by listening to the `onbeforeunload` event and redirecting the page to `about:blank` when the event is triggered.
If a user attem...>>>
## Description:
It is possible to hide the **Tor Circuit** button from the address bar for a given tab by listening to the `onbeforeunload` event and redirecting the page to `about:blank` when the event is triggered.
If a user attempts to reset their identity by clicking on the **New Tor circuit for this site** option, the navigation can be hijacked by the attacker's script. A blank page will be displayed as a consequence. If the user attempts to navigate back to the previous page using the Back button, the **Tor Circuit** button will not be displayed in the address bar.
Similarly to [TTP-02-002](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41767), this issue was found not to pose any immediate security risk and is included as **Info** only.
## PoC:
```html
<script>
let status;
onbeforeunload = () => {
status = true;
}
let timer = setInterval(() => {
if (status) {
status = false;
clearInterval (timer) ;
location = "about:blank";
}
}, 1);
</script>
```
# Steps to reproduce:
1. Open the Tor Browser and connect to it.
2. Save the PoC above as an HTML file and open it in the browser.
3. Click on the **Tor Circuit** button and then on the **New Tor circuit for this** site option.
4. The page will be redirected to `about:blank`.
5. Click on the **Back** option and observe that the **Tor Circuit button** is hidden for this page.
To mitigate this issue, Cure53 advises applying the same mitigation as specified in the [TTP-02-002](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41767) ticket. Given these issues seem to be related and they might share the same root cause, it is recommended to consider and address them together.
>>>https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41769TTP-02-007 WP1: Missing about: pages in shouldShowTorConnect check (Info)2023-10-19T14:31:53ZrichardTTP-02-007 WP1: Missing about: pages in shouldShowTorConnect check (Info)>>>
## Description:
It was discovered that the `about:welcome`, `about:privatebrowsing`, and `about:home` pages are not redirecting to about:tor when they are accessed by a user who has not connected to Tor yet.
While this behavior does...>>>
## Description:
It was discovered that the `about:welcome`, `about:privatebrowsing`, and `about:home` pages are not redirecting to about:tor when they are accessed by a user who has not connected to Tor yet.
While this behavior does not present any immediate security risk, it can potentially cause confusion or alarm users who may access these pages before being connected to the Tor network. To ensure consistency across all about: pages, it is recommended to deploy relevant changes.
## Affected file:
`browser/base/content/utilityOverlay.js`
## Affected code:
```javascript
if (TorConnect.shouldShowTorConnect) {
if (
url === "about:tor" ||
(url === "about:newtab" &&
Services.prefs.getBoolPref("browser.newtabpage.enabled", false))
) {
url = TorConnect.getRedirectURL(url) ;
}
}
```
In order to reproduce this issue, simply open the Tor Browser, access `about:home` and
note that the page does not perform an automated redirection to `about:tor`.
To mitigate the problem, Cure53 advises including additional checks to validate whether
the URL matches `about:welcome`, `about:privatebrowsing` or about:home. If a match is
found, the page should be redirected to `about:tor`.
>>>henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41754Consider enabling the profile migration (or disabling it only for TBB)2023-06-01T16:47:01ZPier Angelo VendrameConsider enabling the profile migration (or disabling it only for TBB)Resetting profile is not possible at the moment, neither in Tor Browser, nor in Mullvad Browser.
The reason is that profile migration has been disabled in #41577.
This is something that has been there forever in macOS, and then I've de...Resetting profile is not possible at the moment, neither in Tor Browser, nor in Mullvad Browser.
The reason is that profile migration has been disabled in #41577.
This is something that has been there forever in macOS, and then I've decided to move it to the main repository (which was a better plan than keeping it in a `.ini` file, I've found immediately why the profile reset was not an option anymore in about:support).
My idea was that for a privacy point of view, not mixing browsers was a good idea, so I didn't deep the reasons on why profile migration was disabled in the first place.
I think I didn't ask ~UX opinion, and that was an error on my side.
A better solution would be to look for the problems that macOS had in the first place and/or build with this option changed.
Probably, ~"Sponsor 131" work improved the situation with the profile management also for Tor Browser, and it should be able to deal with multi profiles, too (apart from the tor daemon management, which Arti will fix).
I expect profile reset to work, too, since NoScript is also in the distribution directory (and should be available to new profiles; I recall trying and having success).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41760Check if we need multi-locales also on Android for 1282023-09-19T15:57:53ZPier Angelo VendrameCheck if we need multi-locales also on Android for 128`mobile/android/gradle/with_gecko_binaries.gradle` (a file we change) now includes some references to the multi-locale repack.
We should check if for any reason we need to enable it also for GeckoView.`mobile/android/gradle/with_gecko_binaries.gradle` (a file we change) now includes some references to the multi-locale repack.
We should check if for any reason we need to enable it also for GeckoView.https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/30Enable WideVine DRM2023-06-01T16:38:55ZrichardEnable WideVine DRMhttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/31Proxy Remote Settings2023-06-01T16:38:52ZrichardProxy Remote SettingsWe're going to disable most of the Remote Settings, but keep eTLD and revoked certs. Mullvad will want to proxy the Mozilla endpoints for these so that Mozilla doesn't get Mullvad user's metadata.We're going to disable most of the Remote Settings, but keep eTLD and revoked certs. Mullvad will want to proxy the Mozilla endpoints for these so that Mozilla doesn't get Mullvad user's metadata.https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/100In `Settings` page, the responsiveness is broken2023-06-01T16:38:49ZruihildtIn `Settings` page, the responsiveness is broken- Connect to a Mullvad proxy through the Mullvad Browser Extension (only available when connected to Mullvad VPN)
- Go to the browser `Settings`, then scroll down to the `Network Settings`
- the text `Mullvad Browser Extension controls h...- Connect to a Mullvad proxy through the Mullvad Browser Extension (only available when connected to Mullvad VPN)
- Go to the browser `Settings`, then scroll down to the `Network Settings`
- the text `Mullvad Browser Extension controls how Firefox Developer Edition connects to the internet.` is pushing the `Settings`. Responsiveness is broken (see screenshot below) and a horizontal scrollbar appears.
Left Mullvad Browser | Right Firefox Developer
![image](/uploads/7b906ce3b66d9a80293ae8b93060ea8b/image.png)https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/106Create a CSS with branding colors/palette2023-06-01T16:38:44ZPier Angelo VendrameCreate a CSS with branding colors/paletteWe should create one or more CSS with the branding colors/palette of Mullvad Browser (that isn't the CSS we have for theme colors).
This might help to make sure we are consistent in all our colors (e.g., between the homepage and the abo...We should create one or more CSS with the branding colors/palette of Mullvad Browser (that isn't the CSS we have for theme colors).
This might help to make sure we are consistent in all our colors (e.g., between the homepage and the about dialog, etc etc).