The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-11-29T13:06:08Zhttps://gitlab.torproject.org/tpo/core/arti/-/issues/614reproducible builds often fail2022-11-29T13:06:08Ztrinity-1686areproducible builds often failJobs for reproducible builds such as [#192100](https://gitlab.torproject.org/tpo/core/arti/-/jobs/192100) quiet often fail lately. Sometime it's successful when running on runners with very large /dev/shm
It looks like the increase in /...Jobs for reproducible builds such as [#192100](https://gitlab.torproject.org/tpo/core/arti/-/jobs/192100) quiet often fail lately. Sometime it's successful when running on runners with very large /dev/shm
It looks like the increase in /dev/shm space requested in tpo/tpa/gitlab#110 is no longer enough. Back then we requested around 384MiB of shm, right now it looks like we actually need 451.1MiB.
Options are:
- to ask TPA to make shm even bigger
- to be more selective on what we put there (we actually need the source of 2, maybe 3 dependencies, not every single one)
- finally figure out the actual reason why builds are reproducible when building of tmpfs, but not from other filesystem, and try to fix the underlying issue.
- ?trinity-1686atrinity-1686ahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27987Screenshot functionality is not changed when togglig 'Allow screenshots' unti...2022-11-29T13:06:39ZTracScreenshot functionality is not changed when togglig 'Allow screenshots' until after app restartI believe it's set by default and there's no way to disable it. Problem is it blocks things like being able to take screenshots, be nice if I could just decide if I want flag_secure enabled or not via a setting rather than have to have a...I believe it's set by default and there's no way to disable it. Problem is it blocks things like being able to take screenshots, be nice if I could just decide if I want flag_secure enabled or not via a setting rather than have to have a different browser on my device that doesn't use it.
**Trac**:
**Username**: carbuncleo
---
**EDIT**: We have added a toggle but it requires an app restart which is not indicated in the apphttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30604Describe why Tor Browser requests each permission on Android2022-11-29T13:07:02ZMatthew FinkelDescribe why Tor Browser requests each permission on AndroidTor Browser requests a few "risky" permissions, we should describe how each of them is used. This is especially important information for people on older Android devices where permissions are not optional (they must allow all permissions...Tor Browser requests a few "risky" permissions, we should describe how each of them is used. This is especially important information for people on older Android devices where permissions are not optional (they must allow all permissions at installation time or they don't install the app).
I'll start with Google Play, but we should add this information on our website (and F-Droid, in the future), too.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29839Include Tor Browser data from F-Droid2022-11-29T13:07:09ZMatthew FinkelInclude Tor Browser data from F-DroidNote: This is currently blocking on #27539. When that is complete, re-assign this to Metrics->Website. In addition, we should understand if this is possible before reassigning this ticket.
----
Similar to legacy/trac#29837, we should in...Note: This is currently blocking on #27539. When that is complete, re-assign this to Metrics->Website. In addition, we should understand if this is possible before reassigning this ticket.
----
Similar to legacy/trac#29837, we should include statistics on Tor Browser on Android from F-Droid. How/if we can obtain this data remains an open question.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/33876Back Button on Tor Browser Android Closes App When Log is Open2022-11-29T13:08:24ZTracBack Button on Tor Browser Android Closes App When Log is OpenThis is a small UX quirk that can frustrate/confuse new users, especially those who are unfamiliar with Tor and are curious about the log. When you open the log in Tor Browser on Android it fills up the entire screen and if the user pres...This is a small UX quirk that can frustrate/confuse new users, especially those who are unfamiliar with Tor and are curious about the log. When you open the log in Tor Browser on Android it fills up the entire screen and if the user presses the back button on their device the app will close. Generally when a screen is filled on Android pressing back takes you to the previous screen. I think little things could instill distrust in newer users.
This issue used to exist in Orbot a few years ago https://github.com/guardianproject/orbot/pull/139
I apologize if this isn't the correct spot to report this. I'm new to trac, and am open to feedback if there's a better spot to file this :) Also, I've implemented a fix and I'm still figuring out where to push my code and put it up for review... <3
**Trac**:
**Username**: bimhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40972Circuit display - UI bug - Long v3 name2022-11-29T13:29:16ZAntonelaantonela@torproject.orgCircuit display - UI bug - Long v3 nameJust found this
https://trac.torproject.org/projects/tor/attachment/ticket/24309/VirtualBox_-linux-test_06_06_2018_20_35_03.png
testing
https://people.torproject.org/~gk/testbuilds/user_testing_antonela2/tor-browser-linux64-tbb-nigh...Just found this
https://trac.torproject.org/projects/tor/attachment/ticket/24309/VirtualBox_-linux-test_06_06_2018_20_35_03.png
testing
https://people.torproject.org/~gk/testbuilds/user_testing_antonela2/tor-browser-linux64-tbb-nightly_en-US.tar.xz
Can we use the v3 address in two lines?
https://trac.torproject.org/projects/tor/attachment/ticket/24309/060618-1.pnghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41253Include compile instructions in our tor-android-service repo2022-11-29T13:38:38ZGeorg KoppenInclude compile instructions in our tor-android-service repoThe `README.md` file in `tor-android-service` says currently
```
# tor-android-service
Android Service For Intalling and Running Tor
```
. We should be a bit more verbose to help others using this new tool and getting it built outside of...The `README.md` file in `tor-android-service` says currently
```
# tor-android-service
Android Service For Intalling and Running Tor
```
. We should be a bit more verbose to help others using this new tool and getting it built outside of Tor Browser.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40976On macOS a list of downloaded files is kept on disk and survives New Identity2022-11-29T13:39:51ZGeorg KoppenOn macOS a list of downloaded files is kept on disk and survives New IdentityOn macOS a list of downloaded files is kept and survives New Identity. It might affect other platforms, too:
```
Mac [...] keeps a list of all the downloaded files. From which app(browser) and which website.
Location:
sqlite3 ~/Library/...On macOS a list of downloaded files is kept and survives New Identity. It might affect other platforms, too:
```
Mac [...] keeps a list of all the downloaded files. From which app(browser) and which website.
Location:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select * from LSQuarantineEvent’
52FA128A-42E1-41E6-A0DD-5A58FB21ED7A|550679062.0|org.torproject.torbrowser|TorBrowser.app|https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSP6KTk9o7luHrlg5CoeGFLiH2RpKwEcywcgdDeVQpciZzytjaafDzkKL0v|||0||https://www.google.com/search?q=snowmountains&tbm=isch&sa=G&gbv=1&sei=h3oiW_DkC8yFgAadrJLQBQ|
```Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8916Windows Prefetch records the Tor Browser Bundle2022-11-29T13:45:46ZRuna SandvikWindows Prefetch records the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7 showed that the Windows Prefetcher keeps records of the different Tor Browser Bundle applications:
* C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557F...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7 showed that the Windows Prefetcher keeps records of the different Tor Browser Bundle applications:
* C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf
* C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf
* C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6\_EN-US.EX-1354A499.pf
* C:\Windows\Prefetch\TOR.EXE-D7159D93.pf
* C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf
The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:
* C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
* C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
* C:\Windows\AppCompat\Programs\RecentFileCache.bcfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16819Separation of Tor Daemon + SELinux integration within (TBB)2022-11-29T13:49:34ZcypherpunksSeparation of Tor Daemon + SELinux integration within (TBB)SELinux profiles for isolating the browser and the tor daemon of TBB is an important security feature that should be in place.SELinux profiles for isolating the browser and the tor daemon of TBB is an important security feature that should be in place.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17156When Tor Browser is being launched on macOS, the menubar quit menu item doesn...2022-11-29T13:50:06ZteorWhen Tor Browser is being launched on macOS, the menubar quit menu item doesn't workWhen Tor Browser is launching on OS X (and Tor Launcher is the only window on screen), and I select the menubar Tor Browser quit menu item, it doesn't work. The Dock menu quit item works. The Tor Browser quit menu item works once it has ...When Tor Browser is launching on OS X (and Tor Launcher is the only window on screen), and I select the menubar Tor Browser quit menu item, it doesn't work. The Dock menu quit item works. The Tor Browser quit menu item works once it has finished launching.
This is a particular issue when Tor Browser is having trouble connecting to the network, and I use command-Q to quit it, and it doesn't work.
This happens on Tor Browser 5 and 5.5.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18780Windows' numeric keyboard characters enter doesn't work.2022-11-29T13:53:49ZTracWindows' numeric keyboard characters enter doesn't work.Just tried to enter some extended characters into textarea using numeric keyboard as Windows allows it: pressing left Alt and typing char code, like: Alt-0151 enters m-dash, Alt-0171 for left double arrow quote, Alt-0187 for right quote,...Just tried to enter some extended characters into textarea using numeric keyboard as Windows allows it: pressing left Alt and typing char code, like: Alt-0151 enters m-dash, Alt-0171 for left double arrow quote, Alt-0187 for right quote, etc. No character appeared. But typing into location field does actually work, and I can type those chars in there and paste them into text fields and textareas in pages opened in TB.
Is this an intentional measure or a bug? Found two tickets possibly related to this: legacy/trac#16678, legacy/trac#15646.
OS: Windows 8
Tor Browser: 5.5.4
**Trac**:
**Username**: Unchquahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21034Per site security settings?2022-11-29T14:01:13ZArthur EdelsteinPer site security settings?It would be useful (and perhaps safer) to have per-site security settings rather than browser-wide security settings. Also we might want to enforce different security settings for http vs https.
In Firefox 52, with e10s enabled, perhaps...It would be useful (and perhaps safer) to have per-site security settings rather than browser-wide security settings. Also we might want to enforce different security settings for http vs https.
In Firefox 52, with e10s enabled, perhaps we can use separate content processes for every first-party and apply different security settings prefs separately to each one.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22642TorBrowser 7.x Mac - Disable kMDItemWhereFroms extended attributes at least i...2022-11-29T14:13:04ZcypherpunksTorBrowser 7.x Mac - Disable kMDItemWhereFroms extended attributes at least in Private Browsing ModeIn late 2016, Mozilla developers implemented kMDItemWhereFroms extended attribute metadata on macOS to behave more like Safari (however Safari, rather surprisingly for Apple, doesn't write xattrs in private browsing).
When files are do...In late 2016, Mozilla developers implemented kMDItemWhereFroms extended attribute metadata on macOS to behave more like Safari (however Safari, rather surprisingly for Apple, doesn't write xattrs in private browsing).
When files are downloaded, Firefox (v51+) writes the URL of downloaded files to a kMDItemWhereFroms entry in the file's extended attribute, even in Private Browsing mode. This metadata can be viewed using "xattr -l <file>" and removed using "xattr -rc <file>", but on later versions of 10.12 this metadata is usually also written to ~Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
I plan to file a bug on bugzilla and ask the devs who implemented it whether they could add an about:config pref or disable the functionality in private browsing, but in case they don't respond, I thought I'd file a ticket here too since TorBrowser is now on v52ESR.
Here's the bugzilla bug where the developers originally implemented the kMDItemWhereFroms functionality.
https://bugzilla.mozilla.org/show_bug.cgi?id=337051https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40220Close stale connections in standalone proxy2022-11-29T14:20:34ZCecylia BocovichClose stale connections in standalone proxyWe've received several reports (#40211) of standalone proxies that have long-lived connections with clients but zero bytes transferred. The browser-based snowflake proxies (i.e., the web extension and badge) have a [timeout in place to c...We've received several reports (#40211) of standalone proxies that have long-lived connections with clients but zero bytes transferred. The browser-based snowflake proxies (i.e., the web extension and badge) have a [timeout in place to close stale connections](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/blob/29a4cc6e0970f2e10ed610b8ae8449eafe75472c/proxypair.js#L163) after [30 seconds](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/blob/29a4cc6e0970f2e10ed610b8ae8449eafe75472c/config.js#L38) of inactivity. This aligns with a [client-side timeout](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/ac8562803ab9621d037bd1b3710c59799c7aa6d5/client/lib/snowflake.go#L49) that closes stale connections to proxies after 20s of inactivity.
It's possible that the long-lived connections these standalone proxies are seeing are from clients not using our snowflake client code. Or that the client-side closures are not being received by the proxies. In any case, we should add an inactivity timeout to the standalone proxies to try and clean up these connections and free up resources in a similar way that the browser-based proxies do.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41471Update targetSdkVersion to 312022-11-29T14:22:33ZrichardUpdate targetSdkVersion to 31Google decided to require a newer SDK then before:
- https://developer.android.com/google/play/requirements/target-sdk
We currently target SDK 30 according to the dashboard, and we need to upgrade to SDK 31.
This blocks Android releas...Google decided to require a newer SDK then before:
- https://developer.android.com/google/play/requirements/target-sdk
We currently target SDK 30 according to the dashboard, and we need to upgrade to SDK 31.
This blocks Android release on Google play.
According to the docs the magic thing to change is: `targetSdkVersion`Sponsor 131 - Phase 3 - Major ESR 102 Migrationhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/24950"Restrict third party cookies and other tracking data" enabled = disables exc...2022-11-29T14:24:57ZTrac"Restrict third party cookies and other tracking data" enabled = disables exceptions list for popupsOptions -> Privacy -> Restrict third party cookies and other tracking data
When enabled, popup blocker ignores exceptions list and blocks popups from all websites.
**Trac**:
**Username**: vanowmOptions -> Privacy -> Restrict third party cookies and other tracking data
When enabled, popup blocker ignores exceptions list and blocks popups from all websites.
**Trac**:
**Username**: vanowmSponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25917TBA - Audit Suggested Site2022-11-29T14:27:13ZMatthew FinkelTBA - Audit Suggested SiteOn Desktop, we don't have any suggested sites. Orfox currently shows:
- Check
- tp.o
- guardianproject.info
- Facebook Onion
I'm hesitant about us being in the position of promoting some sites (and specifically onion sites) over others....On Desktop, we don't have any suggested sites. Orfox currently shows:
- Check
- tp.o
- guardianproject.info
- Facebook Onion
I'm hesitant about us being in the position of promoting some sites (and specifically onion sites) over others. However, if we keep Facebook here, then maybe we should add/replace others. NYT? ProPublica? It's easy for us to start down this path, but I'm not sure we'll like where this will take us. That being said, this is the easiest way we can promote using onion sites over internet TLDs, especially on mobile.
Firefox on Android current shows:
- Facebook
- Youtube
- Amazon
- Wikimedia
- Twitter
Note, this is different from about:tor. These sites are shown when the user clicks on the URL bar.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26080torbrowser 7.5.4 update seems to generate file with unique uuid in it2022-11-29T14:28:02Zcypherpunkstorbrowser 7.5.4 update seems to generate file with unique uuid in itupdating from 7.5.3 to 7.5.4 on linux seems to include a file named '.uuid' in the fonts dir that appears to be unique (comparing two different updated torbrowsers)updating from 7.5.3 to 7.5.4 on linux seems to include a file named '.uuid' in the fonts dir that appears to be unique (comparing two different updated torbrowsers)Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26419TBA - Evaluate Android Intent Referrers2022-11-29T14:30:56ZMatthew FinkelTBA - Evaluate Android Intent ReferrersCurrently Fennec listens for the installation referrer `com.android.vending.INSTALL_REFERRER`. This is used for tracking installations (source of install, when it was installed, etc). We probably do not want this.
See `mobile/android/ba...Currently Fennec listens for the installation referrer `com.android.vending.INSTALL_REFERRER`. This is used for tracking installations (source of install, when it was installed, etc). We probably do not want this.
See `mobile/android/base/java/org/mozilla/gecko/distribution/ReferrerReceiver.java` and (proxied) network calls in `mobile/android/base/java/org/mozilla/gecko/distribution/Distribution.java`