Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-15T23:37:07Zhttps://gitlab.torproject.org/legacy/trac/-/issues/19202Use cdn.tpo in mar files URLs2020-06-15T23:37:07ZboklmUse cdn.tpo in mar files URLsWe should update tools/update-responses/config.yml to use cdn.tpo for the mar files URLs.We should update tools/update-responses/config.yml to use cdn.tpo for the mar files URLs.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/19201Update Tor Browser release procedure: upload mar files to cdn.tpo2020-06-15T23:35:28ZboklmUpdate Tor Browser release procedure: upload mar files to cdn.tpoWe need to update the release procedure to add the upload of mar files to cdn.tpo.We need to update the release procedure to add the upload of mar files to cdn.tpo.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/19189Work around gold bug in Tor Browser2020-06-15T23:35:24ZGeorg KoppenWork around gold bug in Tor BrowserWhile bisecting on my Debian box I am always hitting https://bugzilla.mozilla.org/show_bug.cgi?id=1233963. We should backport the fix to include it at least in the alpha series. Given that https://hg.mozilla.org/mozilla-central/rev/1a4c4...While bisecting on my Debian box I am always hitting https://bugzilla.mozilla.org/show_bug.cgi?id=1233963. We should backport the fix to include it at least in the alpha series. Given that https://hg.mozilla.org/mozilla-central/rev/1a4c479ec7cd is pretty simple having this one in the stable series as well can't hurt.https://gitlab.torproject.org/legacy/trac/-/issues/19187Backport popup related ASan crash fix to Tor Browser 6.x2020-06-15T23:35:23ZGeorg KoppenBackport popup related ASan crash fix to Tor Browser 6.xIt turns out that one of the crashes I found with ASan got already reported a couple of days earlier and fixed on trunk. The security rating indicates that Mozilla won't backport that patch to ESR 45. But we should do for safety's sake.It turns out that one of the crashes I found with ASan got already reported a couple of days earlier and fixed on trunk. The security rating indicates that Mozilla won't backport that patch to ESR 45. But we should do for safety's sake.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/legacy/trac/-/issues/19176Language packs are not rezipped deterministically2020-06-15T23:35:22ZGeorg KoppenLanguage packs are not rezipped deterministicallyMy patch for #18915 forgot to use our deterministic zip wrapper and used `zip` directly with foreseeable results.My patch for #18915 forgot to use our deterministic zip wrapper and used `zip` directly with foreseeable results.https://gitlab.torproject.org/legacy/trac/-/issues/19121reinstate the update.xml hash check2020-06-15T23:35:19ZMark Smithreinstate the update.xml hash checkWhile working on #18912, Kathy and I discovered the following Mozilla change that causes the update.xml hash check to be skipped when signed MAR files are in use (this change shipped in Firefox 43):
https://bugzilla.mozilla.org/show_bug....While working on #18912, Kathy and I discovered the following Mozilla change that causes the update.xml hash check to be skipped when signed MAR files are in use (this change shipped in Firefox 43):
https://bugzilla.mozilla.org/show_bug.cgi?id=862173
I think the our philosophy is different than Mozilla's and that we probably want to reinstate the hash check. Mike and Georg, do you agree?Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/19065Tor Browser icon not visible anymore in upper left corner on Linux since 05/132020-06-15T23:35:15ZGeorg KoppenTor Browser icon not visible anymore in upper left corner on Linux since 05/13The nightly build from May 09 is the last one still showing the Tor Browser icon in the upper left corner of browser windows/dialogs. The nightly from May 13 is the first one that just shows a placeholder icon on Linux.The nightly build from May 09 is the last one still showing the Tor Browser icon in the upper left corner of browser windows/dialogs. The nightly from May 13 is the first one that just shows a placeholder icon on Linux.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/legacy/trac/-/issues/19047Disable Heartbeat prompts in Tor Browser2020-06-16T00:48:56ZGeorg KoppenDisable Heartbeat prompts in Tor Browserhttps://bugzilla.mozilla.org/show_bug.cgi?id=1196104 implements Heartbeat prompts for PBM. We should make sure this is disabled to not confuse our users.https://bugzilla.mozilla.org/show_bug.cgi?id=1196104 implements Heartbeat prompts for PBM. We should make sure this is disabled to not confuse our users.https://gitlab.torproject.org/legacy/trac/-/issues/18995Investigate CacheStorage feature for tracking usage in Tor Browser2020-06-15T23:35:06ZGeorg KoppenInvestigate CacheStorage feature for tracking usage in Tor BrowserIn ESR45 we have a new CacheStorage feature that might be usable for tracking users. We should bind it to our cache isolation code if so. Even though being part of the ServiceWorker spec it is not bound to it. Quoting from comment:8:tick...In ESR45 we have a new CacheStorage feature that might be usable for tracking users. We should bind it to our cache isolation code if so. Even though being part of the ServiceWorker spec it is not bound to it. Quoting from comment:8:ticket:18545
```
The API page includes "It provides a master directory of all the named caches that a ServiceWorker, other type of worker or window scope can access (you don't have to use it with service workers, even though that is the spec that defines it) and maintains a mapping of string names to corresponding Cache objects." Also, some of the top-level objects are present in regular DOM windows. See: ​https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html
```Arthur EdelsteinArthur Edelsteinhttps://gitlab.torproject.org/legacy/trac/-/issues/18980Remove obsolete toolbar button code in torbutton.js2020-06-15T23:35:04ZArthur EdelsteinRemove obsolete toolbar button code in torbutton.jsIn #10751, we adapted the torbutton button to the "Australis UI" introduced in ESR31. There's some leftover ESR24 code we marked for later removal -- let's do that.In #10751, we adapted the torbutton button to the "Australis UI" introduced in ESR31. There's some leftover ESR24 code we marked for later removal -- let's do that.https://gitlab.torproject.org/legacy/trac/-/issues/18976Remove some FTE bridges2020-06-15T23:35:03ZkpdyerRemove some FTE bridgesHello!
The following FTE bridges will soon be permanently going away:
192.240.101.106:80
50.7.176.114:80
[2001:49f0:d002:1::2]:80
[2001:49f0:d00a:1::c]:80
Can you please remove them from Bundle-Data/PTConfigs/bridge_prefs.js? Thanks!Hello!
The following FTE bridges will soon be permanently going away:
192.240.101.106:80
50.7.176.114:80
[2001:49f0:d002:1::2]:80
[2001:49f0:d00a:1::c]:80
Can you please remove them from Bundle-Data/PTConfigs/bridge_prefs.js? Thanks!https://gitlab.torproject.org/legacy/trac/-/issues/18958screen.orientation should lie2020-06-15T23:35:01ZMark Smithscreen.orientation should lieFor Firefox 43, Mozilla added a new orientation API that includes the unprefixed screen.orientation property and possibly support for onchange events. See:
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
https://w3c...For Firefox 43, Mozilla added a new orientation API that includes the unprefixed screen.orientation property and possibly support for onchange events. See:
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
https://w3c.github.io/screen-orientation/
Although the patch for #13025 was upstreamed, the implementation of the new API did not carry forward the concept of respecting the privacy.resistFingerprinting pref.Arthur EdelsteinArthur Edelsteinhttps://gitlab.torproject.org/legacy/trac/-/issues/18951Mac OS: HTTPS-E missing after update2020-06-15T23:35:00ZMark SmithMac OS: HTTPS-E missing after updateIn the TB 6.0a5 installable packages (dmg files), HTTPS-E is included under TorBrowser.app/Contents/Resources/distribution/extensions as expected. But after completing an incremental update from TB 6.0a4 to 6.0a5, the HTTPS-E extension i...In the TB 6.0a5 installable packages (dmg files), HTTPS-E is included under TorBrowser.app/Contents/Resources/distribution/extensions as expected. But after completing an incremental update from TB 6.0a4 to 6.0a5, the HTTPS-E extension is missing.https://gitlab.torproject.org/legacy/trac/-/issues/18950Disable or audit Reader View in ESR 452020-06-16T00:49:33ZGeorg KoppenDisable or audit Reader View in ESR 45Firefox ships with a new feature, Reader View (https://support.mozilla.org/en-US/kb/firefox-reader-view-clutter-free-web-pages). We should audit it or disable it for the time being if we don't get to that.Firefox ships with a new feature, Reader View (https://support.mozilla.org/en-US/kb/firefox-reader-view-clutter-free-web-pages). We should audit it or disable it for the time being if we don't get to that.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/legacy/trac/-/issues/189476.0a5 is not starting on OS X if put into /Applications2020-06-15T23:34:59ZGeorg Koppen6.0a5 is not starting on OS X if put into /ApplicationsNick reported that 6.0a5 on OS X is neither starting after an update nor after being freshly downloaded. The error message is: Tor launcher\n\nTor unexpectedly exited. This might be a bug in Tor itself...
Running "tor.real" from the com...Nick reported that 6.0a5 on OS X is neither starting after an update nor after being freshly downloaded. The error message is: Tor launcher\n\nTor unexpectedly exited. This might be a bug in Tor itself...
Running "tor.real" from the command line is starting it fine.
After a bit of testing it turned out that putting it on the desktop is working fine, too. Just having it in /Applications produces the bug. I guess this is due to #13252.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/18945Disable monitoring the connected state of Tor Browser users2020-06-15T23:34:57ZGeorg KoppenDisable monitoring the connected state of Tor Browser users`network.manage-offline-status` should be set to `false` again in order to disable monitoring the connected state of users. (basically enabling the status quo ante).`network.manage-offline-status` should be set to `false` again in order to disable monitoring the connected state of users. (basically enabling the status quo ante).Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/18928Mac OS: alpha channel upgrade is not smooth2020-06-15T23:34:52ZMark SmithMac OS: alpha channel upgrade is not smoothOn Mac OS, when I upgrade to Tor Browser 6.0a5 from an older version, it does not go well. After applying the MAR update and restarting, tor is not started and Tor Launcher displays this error:
Unable to start tor
The Tor executable ...On Mac OS, when I upgrade to Tor Browser 6.0a5 from an older version, it does not go well. After applying the MAR update and restarting, tor is not started and Tor Launcher displays this error:
Unable to start tor
The Tor executable is missing
Quitting and restarting a second time seems to fix the problem.https://gitlab.torproject.org/legacy/trac/-/issues/18915Omnibox in a non-english Tor Browser has no Disconnect.me as search engine in...2020-06-15T23:42:29ZGeorg KoppenOmnibox in a non-english Tor Browser has no Disconnect.me as search engine in 6.0a5We lost Disconnect.me as search engine somehow in our non-en-US bundles. Seems #11236 is showing its ugly head again (see comment 9 and https://bugzilla.mozilla.org/show_bug.cgi?id=1126722). Sad that our test suite is broken by the trans...We lost Disconnect.me as search engine somehow in our non-en-US bundles. Seems #11236 is showing its ugly head again (see comment 9 and https://bugzilla.mozilla.org/show_bug.cgi?id=1126722). Sad that our test suite is broken by the transition to ESR45 as well otherwise we would have caught this one earlier (too) :/Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/legacy/trac/-/issues/18914Consider removing <isindex>2020-06-15T23:34:49ZMark SmithConsider removing <isindex>Mozilla is thinking about removing support for <isindex> HTML element. References:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/isindex
https://groups.google.com/forum/#!topic/mozilla.dev.platform/DV3YBf7wI3M and
https://...Mozilla is thinking about removing support for <isindex> HTML element. References:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/isindex
https://groups.google.com/forum/#!topic/mozilla.dev.platform/DV3YBf7wI3M and
https://bugzilla.mozilla.org/show_bug.cgi?id=1266495
The reason we might want to do this for TB 6.0 is that <isindex> generates a form that has a label that contains text that comes from the browser's UI locale (thus leaking that information).
There is a risk that some sites are using this tag.https://gitlab.torproject.org/legacy/trac/-/issues/18912add automated tests for updater cert pinning2020-06-16T00:44:08ZMark Smithadd automated tests for updater cert pinningThis is a spinoff of #17442. We want to add automated tests to ensure that we notice if Mozilla changes something that breaks the updater cert pinning.This is a spinoff of #17442. We want to add automated tests to ensure that we notice if Mozilla changes something that breaks the updater cert pinning.Mark SmithMark Smith