Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-15T23:33:58Zhttps://gitlab.torproject.org/legacy/trac/-/issues/18560WEBGL_debug_renderer_info extension may leak information about graphics driver2020-06-15T23:33:58ZGeorg KoppenWEBGL_debug_renderer_info extension may leak information about graphics driverhttps://bugzilla.mozilla.org/show_bug.cgi?id=1171228 has made this available to content but it is still preffed off on release channels (`webgl.enable-debug-renderer-info` is set to `false`). We should keep an eye on that when switching ...https://bugzilla.mozilla.org/show_bug.cgi?id=1171228 has made this available to content but it is still preffed off on release channels (`webgl.enable-debug-renderer-info` is set to `false`). We should keep an eye on that when switching to ESR 52https://gitlab.torproject.org/legacy/trac/-/issues/20866OpenGL software rendering is broken on certain Linux systems.2020-06-15T23:39:52ZYawning AngelOpenGL software rendering is broken on certain Linux systems.Software rendering with modern Mesa uses [llvmpipe](http://www.mesa3d.org/llvmpipe.html), and thus depends on `libLLVM`.
Depending on which version of the `libstdc++` the system's `libLLVM` was compiled against, the software rendering D...Software rendering with modern Mesa uses [llvmpipe](http://www.mesa3d.org/llvmpipe.html), and thus depends on `libLLVM`.
Depending on which version of the `libstdc++` the system's `libLLVM` was compiled against, the software rendering DRI module (`swrast_dri.so`) can fail to load, because Tor Browser includes `libstdc++.so.6` as part of the bundle (and in the `LD_LIBRARY_PATH`).
Snipped strace output, with a bunch of env vars set:
```
Tor/libstdc++.so.6: version `GLIBCXX_3.4.22' not found (required by /usr/lib/libLLVM-3.9.so))
```
This is non-fatal, but webGL will be broken on those systems.https://gitlab.torproject.org/legacy/trac/-/issues/21863Ensure proxy safety on Android2020-06-15T23:42:32ZGeorg KoppenEnsure proxy safety on AndroidMike mentions in #21625:
```
Android stuff that definitely leaks that we should fix (missing proxy params to HttpUrlConnection - these need to use the buildHttpConnection helper to get a proxy):
* mobile/android/base/java/org/mozilla/ge...Mike mentions in #21625:
```
Android stuff that definitely leaks that we should fix (missing proxy params to HttpUrlConnection - these need to use the buildHttpConnection helper to get a proxy):
* mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
* mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
* mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
* mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java
```
Blocker of releasing TBA.Matthew FinkelMatthew Finkelhttps://gitlab.torproject.org/legacy/trac/-/issues/24553Re-enable Alternate Services2020-06-16T00:50:46ZArthur EdelsteinRe-enable Alternate ServicesMozilla patched Alternate Services (Alt-Svc) to have first-party isolation:
https://bugzilla.mozilla.org/1334690, effective Firefox 54. We disabled Alt-Svc , but in TBB/ESR59 we can potentially re-enable it.
We also need to examine if t...Mozilla patched Alternate Services (Alt-Svc) to have first-party isolation:
https://bugzilla.mozilla.org/1334690, effective Firefox 54. We disabled Alt-Svc , but in TBB/ESR59 we can potentially re-enable it.
We also need to examine if there are other related headers or mechanisms that could act as supercookie vectors. (Patrick McManus mentioned alt-used as a possibility.) If there are, then those need to be isolated as well.https://gitlab.torproject.org/legacy/trac/-/issues/24631Update Tor Browser toolchains for ESR 602020-06-16T00:42:52ZGeorg KoppenUpdate Tor Browser toolchains for ESR 60This is the tracking bug for the toolchain updates for the next ESR.This is the tracking bug for the toolchain updates for the next ESR.https://gitlab.torproject.org/legacy/trac/-/issues/24918Help users finding the new circuit display2020-06-16T00:43:18ZGeorg KoppenHelp users finding the new circuit displayWe plan to improve and move the circuit display in #24309. In order to help the users getting accustomed to this change we need to implement some guidance into Tor Browser. The work for that both UX and coding-wise is tracked in this bug.We plan to improve and move the circuit display in #24309. In order to help the users getting accustomed to this change we need to implement some guidance into Tor Browser. The work for that both UX and coding-wise is tracked in this bug.https://gitlab.torproject.org/legacy/trac/-/issues/25695Activity 5.1: Redesign Tor Browser homepage ("about:tor") - create an user on...2020-06-16T00:48:43ZIsabela FernandesActivity 5.1: Redesign Tor Browser homepage ("about:tor") - create an user onboard**Redesign Tor Browser homepage ("!about:tor") to inform users about various Tor features and settings they can use to customize their experience.**
We are not taking advantage of the best opportunity to educate users about Tor’s featur...**Redesign Tor Browser homepage ("!about:tor") to inform users about various Tor features and settings they can use to customize their experience.**
We are not taking advantage of the best opportunity to educate users about Tor’s features and settings. The “!about:tor” page is the first thing a user sees once they successfully launch Tor Browser and connect to the Tor network. At this moment, they are ready to start browsing; therefore, it is a great opportunity for us to build an educational moment to teach them about Tor Browser security features and how to use them.Antonelaantonela@torproject.orgAntonelaantonela@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/25703Test linkability/fingerprinting defenses for first Tor Browser alpha for Android2020-06-16T00:45:20ZGeorg KoppenTest linkability/fingerprinting defenses for first Tor Browser alpha for AndroidWe should make sure we understand what the blockers are for cross-origin linkability defenses on Android and how we are with respect to our fingerprinting defenses. In particular, making sure we have some protections from cross-origin tr...We should make sure we understand what the blockers are for cross-origin linkability defenses on Android and how we are with respect to our fingerprinting defenses. In particular, making sure we have some protections from cross-origin tracking on Android by using our patches in `tor-browser` seems like a worthwhile goal even for the first alpha.https://gitlab.torproject.org/legacy/trac/-/issues/26506NoScript not working on TBB/ESR60 on Windows2020-06-16T00:47:38ZArthur EdelsteinNoScript not working on TBB/ESR60 on Windowsgk [wrote](https://trac.torproject.org/projects/tor/ticket/26381?replyto=5#comment:5):
> One observation I had today while testing a Windows sv-SE bundle: it seems that NoScript is somehow not properly working as well? At least adjustin...gk [wrote](https://trac.torproject.org/projects/tor/ticket/26381?replyto=5#comment:5):
> One observation I had today while testing a Windows sv-SE bundle: it seems that NoScript is somehow not properly working as well? At least adjusting the security slider does not seem to work and I can't click on the NoScript icon. However, that might be worth a different bug as I have this issue with an en-US bundle, too. But on my Linux box it is working as expected.richardrichardhttps://gitlab.torproject.org/legacy/trac/-/issues/26548Some HTTPS Everywhere functionality appears to be broken on 8.0a92020-06-16T00:49:33ZcypherpunksSome HTTPS Everywhere functionality appears to be broken on 8.0a9I compared the behavior between 8.0a8 and 8.0a9:
* Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.
* Go to a mixedcontent website (go to the github repository efforg/https-everywhere then search for mix...I compared the behavior between 8.0a8 and 8.0a9:
* Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.
* Go to a mixedcontent website (go to the github repository efforg/https-everywhere then search for mixedcontent and find recent edited one, here's an example of such a site (not privatebin.net but the one written there): https://privatebin.net/?b5c69abb9501c2d5#fbNBF8M+XNeluv6+O00aGLjAWkrcUAnBDsgZLkP0RQY= )
* So open that site up while your browser console is opened, you can see that HTTPS-E injects an upgrade-insecure-requests header and everything is going through HTTPS now including scripts and css etc.
----------------
* Open 8.0a9, and check the "Block all unencrypted requests" in the HTTPS-E popup.
* Go to the previously mentioned site.
* There doesn't appear to be any injection of upgrade-insecure-requests header, css broken etc as a result.https://gitlab.torproject.org/legacy/trac/-/issues/26600verify that new WebGL extensions are disabled2020-06-16T01:08:11ZMark Smithverify that new WebGL extensions are disabledSupport for two new WebGL extensions was added during the ESR60 development cycle. We should verify that both are disabled via `webgl.disable-extensions` = `true` (which Tor Browser sets by default). See:
https://bugzilla.mozilla.org/s...Support for two new WebGL extensions was added during the ESR60 development cycle. We should verify that both are disabled via `webgl.disable-extensions` = `true` (which Tor Browser sets by default). See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1250077
https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_compressed_texture_astc
https://bugzilla.mozilla.org/show_bug.cgi?id=1325113
https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_compressed_texture_s3tc_srgbhttps://gitlab.torproject.org/legacy/trac/-/issues/26604investigate whether date and time <input> types leak the user's locale2020-06-16T00:48:06ZMark Smithinvestigate whether date and time <input> types leak the user's localeThe date and time <input> types were enabled during the ESR60 development cycle. We should verify that these features do not leak the user's locale, e.g., are the input field dimensions different in different locales? See:
https://bugz...The date and time <input> types were enabled during the ESR60 development cycle. We should verify that these features do not leak the user's locale, e.g., are the input field dimensions different in different locales? See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1399036
If necessary, we can set the `dom.forms.datetime` pref to `false` to remove support for these <input> types.https://gitlab.torproject.org/legacy/trac/-/issues/26695List components required to build Tor Browser for Android2020-06-16T00:48:20ZboklmList components required to build Tor Browser for AndroidIn order to integrate Tor Browser for Android into tor-browser-build, we need to make a list of all the components that we need to download and/or build in order to be able to do an Android build of Tor Browser.In order to integrate Tor Browser for Android into tor-browser-build, we need to make a list of all the components that we need to download and/or build in order to be able to do an Android build of Tor Browser.https://gitlab.torproject.org/legacy/trac/-/issues/26877Declare gcc version in rbm.conf2020-06-16T01:25:12ZSukhbir SinghDeclare gcc version in rbm.confWe declare the `gcc` version (currently set to `6.4.0`) in multiple places:
```
projects/gcc/config:version: 6.4.0
```
```
projects/mingw-w64/config: gcc_version: 6.4.0
```
We should probably define it in `rbm.conf` instead and then ...We declare the `gcc` version (currently set to `6.4.0`) in multiple places:
```
projects/gcc/config:version: 6.4.0
```
```
projects/mingw-w64/config: gcc_version: 6.4.0
```
We should probably define it in `rbm.conf` instead and then refer to that. (This may also be relevant for #25485).https://gitlab.torproject.org/legacy/trac/-/issues/26884Update preferences.xul to make it work on mobile2020-06-16T00:48:37ZIgor OliveiraUpdate preferences.xul to make it work on mobileTorButton preferences.xul doesn't work on mobile. It is simpler to make it work on mobile than updating the tor-browser-settings extension.TorButton preferences.xul doesn't work on mobile. It is simpler to make it work on mobile than updating the tor-browser-settings extension.https://gitlab.torproject.org/legacy/trac/-/issues/26917Update QA and Testing content on our HACKING document2020-06-16T00:48:39ZGeorg KoppenUpdate QA and Testing content on our HACKING documentOur QA and Testing content on our HACKING page needs some update.Our QA and Testing content on our HACKING page needs some update.https://gitlab.torproject.org/legacy/trac/-/issues/26981Update marionette_driver used in tbb-testsuite for esr602020-06-13T17:41:08ZboklmUpdate marionette_driver used in tbb-testsuite for esr60In order to use our tests based on marionette with Tor Browser 8.0, we need to update the version of marionette_driver we use in the testsuite.In order to use our tests based on marionette with Tor Browser 8.0, we need to update the version of marionette_driver we use in the testsuite.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/27106tbb-testsuite: stop using preferences/extension-overrides.js2020-06-13T17:41:10Zboklmtbb-testsuite: stop using preferences/extension-overrides.jsIn the testsuite we are using the file `preferences/extension-overrides.js` to set some preferences. However this file does not exist anymore in esr60.In the testsuite we are using the file `preferences/extension-overrides.js` to set some preferences. However this file does not exist anymore in esr60.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/27122tbb-testsuite: fix the slider_settings tests for esr602020-06-13T17:41:13Zboklmtbb-testsuite: fix the slider_settings tests for esr60We need to fix the slider_settings tests for the new security slider prefs.We need to fix the slider_settings tests for the new security slider prefs.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/27133tbb-testsuite: update useragent string in fp_navigator, useragent and setting...2020-06-13T17:41:13Zboklmtbb-testsuite: update useragent string in fp_navigator, useragent and settings testsWe need to update the useragent string in the `fp_navigator`, `useragent` and `settings` tests for Tor Browser 8.0.We need to update the useragent string in the `fp_navigator`, `useragent` and `settings` tests for Tor Browser 8.0.boklmboklm