Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T00:59:39Zhttps://gitlab.torproject.org/legacy/trac/-/issues/28873Cascading of permissions does not seem to work properly in Tor Browser 82020-06-16T00:59:39ZGeorg KoppenCascading of permissions does not seem to work properly in Tor Browser 8On level "safer" of our security slider we want to prevent executing JavaScript if the URL bar domain is loaded over HTTP. That means even if embedded content is loaded over HTTPS it's not allowed to load and execute JavaScript that way....On level "safer" of our security slider we want to prevent executing JavaScript if the URL bar domain is loaded over HTTP. That means even if embedded content is loaded over HTTPS it's not allowed to load and execute JavaScript that way. We used the `cascadePermissions` and the `globalHttpsWhitelist` prefs for that in the XPCOM NoScript.
This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded in a HTTP site context (as an example take http://www.worldstarhiphop.com/featured/131305).
This got noted on our blog: https://blog.torproject.org/comment/278987#comment-278987.ma1ma1https://gitlab.torproject.org/legacy/trac/-/issues/28850Error downloading dvlib-26.0.1.pom and dvlib-26.0.1.jar2020-06-16T00:59:37ZboklmError downloading dvlib-26.0.1.pom and dvlib-26.0.1.jarMarcus Hoffmann from f-droid told me that his build of Tor Browser for Android failed with:
```
--2018-12-13 23:25:22-- ...Marcus Hoffmann from f-droid told me that his build of Tor Browser for Android failed with:
```
--2018-12-13 23:25:22--
https://jcenter.bintray.com/com/android/tools/dvlib/26.0.1/dvlib-26.0.1.pom
Resolving jcenter.bintray.com (jcenter.bintray.com)... 159.122.18.156
Connecting to jcenter.bintray.com
(jcenter.bintray.com)|159.122.18.156|:443... connected.
HTTP request sent, awaiting response... 302
Location:
https://repo.jfrog.org/artifactory/libs-release-bintray/com/android/tools/dvlib/26.0.1/dvlib-26.0.1.pom?referrer
[following]
--2018-12-13 23:25:22--
https://repo.jfrog.org/artifactory/libs-release-bintray/com/android/tools/dvlib/26.0.1/dvlib-26.0.1.pom?referrer
Resolving repo.jfrog.org (repo.jfrog.org)... 52.7.30.14, 34.231.202.145
Connecting to repo.jfrog.org (repo.jfrog.org)|52.7.30.14|:443... connected.
HTTP request sent, awaiting response... 404
2018-12-13 23:25:23 ERROR 404: (no description).
Error: Error creating gradle-dependencies-3
Makefile:33: recipe for target 'alpha-android-armv7' failed
make: *** [alpha-android-armv7] Error 1
```
It seems that the URLs for `dvlib-26.0.1.pom` and `dvlib-26.0.1.jar` in `projects/firefox/gradle-dependencies-list.txt` and `projects/orbot/gradle-dependencies-list.txt` need to be updated.https://gitlab.torproject.org/legacy/trac/-/issues/28784Assembling WebRTC sources fails with error "You have unstaged changes"2020-06-16T00:59:21ZGeorg KoppenAssembling WebRTC sources fails with error "You have unstaged changes"After testing the patches in #28725 and merging them to `master` I decided to get rid of all by built snowflake related artifacts and deleted `out/snowflake`, `out/go-webrtc` and `out/webrtc` and check if everything is still working.
Th...After testing the patches in #28725 and merging them to `master` I decided to get rid of all by built snowflake related artifacts and deleted `out/snowflake`, `out/go-webrtc` and `out/webrtc` and check if everything is still working.
That does not seem to be the case as I am already getting errors during WebRTC sources assembling now:
```
Starting build: Fri Dec 7 14:05:23 2018
Bootstrapping cipd client for linux-amd64 from https://chrome-infra-packages.appspot.com/client?platform=linux-amd64&version=git_revision:d2677a4477e59cb7de00f1fb8a00e96b1aaeb927...
src/testing (ERROR)
----------------------------------------
[0:00:02] Started.
[0:00:07] From https://chromium.googlesource.com/chromium/src/testing
[0:00:07] a5684e6..36a1586 master -> origin/master
----------------------------------------
Error: 5>
5> ____ src/testing at 60c665fffe7dc505fdd5d30f9dbcbc50dde1e017
5> You have unstaged changes.
5> Please commit, stash, or reset.
```
I wonder if that's a thing for boklm's idea about cleaning up old files, expressed in comment:9:ticket:28725.https://gitlab.torproject.org/legacy/trac/-/issues/28775Add mercurial to the list of dependencies in tools/ansible/roles/tbb-builder/...2020-06-16T00:59:21ZboklmAdd mercurial to the list of dependencies in tools/ansible/roles/tbb-builder/tasks/main.ymlWith #26843 we now require mercurial to be installed. We should add it to the list of dependencies in tools/ansible/roles/tbb-builder/tasks/main.yml.With #26843 we now require mercurial to be installed. We should add it to the list of dependencies in tools/ansible/roles/tbb-builder/tasks/main.yml.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/28771Does the build still require libfile-slurp-perl?2020-06-16T01:25:24ZDavid Fifielddcf@torproject.orgDoes the build still require libfile-slurp-perl?[a6d54303a](https://gitweb.torproject.org/builders/tor-browser-build.git/commit/?id=a6d54303ad89af777a4994dc27d0ae90945f090c) removed libfile-slurp-perl from README. But [43c9452946](https://gitweb.torproject.org/builders/tor-browser-bui...[a6d54303a](https://gitweb.torproject.org/builders/tor-browser-build.git/commit/?id=a6d54303ad89af777a4994dc27d0ae90945f090c) removed libfile-slurp-perl from README. But [43c9452946](https://gitweb.torproject.org/builders/tor-browser-build.git/commit/?id=43c9452946313a5ab3dd064501daa05096db86eb) added projects/firefox-locale-bundle/get_hg_hash which requires it. This is the error I get in logs/firefox-locale-bundle-android-armv7.log:
```
pulling from https://hg.mozilla.org/l10n-central/ar
searching for changes
no changes found
Can't locate File/Slurp.pm in @INC (you may need to install the File::Slurp module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.24.1 /usr/local/share/perl/5.24.1 /usr/lib/x86_64-linux-gnu/perl5/5.24 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.24 /usr/share/perl/5.24 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /home/user/tor-browser-build/projects/firefox-locale-bundle/get_hg_hash line 3.
BEGIN failed--compilation aborted at /home/user/tor-browser-build/projects/firefox-locale-bundle/get_hg_hash line 3.
```https://gitlab.torproject.org/legacy/trac/-/issues/28752Gradle sometimes downloads tor-android-binary resources during build (or the ...2020-06-16T00:59:14ZGeorg KoppenGradle sometimes downloads tor-android-binary resources during build (or the build is failing)I saw a failing builds in comment:42:ticket:27977 and later on complaining about missing `tor-android-binary` resources (*.pom and *.aar). Today I saw a build where Gradle is even downloading both files during build. I double-checked and...I saw a failing builds in comment:42:ticket:27977 and later on complaining about missing `tor-android-binary` resources (*.pom and *.aar). Today I saw a build where Gradle is even downloading both files during build. I double-checked and they are available in `gradle-dependecies-3` which we use during build, which is pretty concerning.
We should figure our what is going on here.https://gitlab.torproject.org/legacy/trac/-/issues/28747Remove old NoScript related code (needed for dealing with the XPCOM version)2020-06-16T00:59:06ZGeorg KoppenRemove old NoScript related code (needed for dealing with the XPCOM version)After switching to the new, WebExtensions-based NoScript there is unused code left in Torbutton dealing with the old XPCOM version. We should remove that.After switching to the new, WebExtensions-based NoScript there is unused code left in Torbutton dealing with the old XPCOM version. We should remove that.https://gitlab.torproject.org/legacy/trac/-/issues/28740Make navigator.platform return "Win32", even on Win64 OS2020-06-16T00:59:05ZTracMake navigator.platform return "Win32", even on Win64 OShttps://bugzilla.mozilla.org/show_bug.cgi?id=1472618
**Trac**:
**Username**: omghttps://bugzilla.mozilla.org/show_bug.cgi?id=1472618
**Trac**:
**Username**: omghttps://gitlab.torproject.org/legacy/trac/-/issues/28725Upgrade go-webrtc to dcbfc825aa33471253a5da1834d499257e05d5572020-06-16T00:59:04ZDavid Fifielddcf@torproject.orgUpgrade go-webrtc to dcbfc825aa33471253a5da1834d499257e05d557The primary goal of this upgrade was to simplify by removing `-D_GLIBCXX_USE_CXX11_ABI=1`, which is [no longer required](https://github.com/keroserene/go-webrtc/commit/a3140c36f9933013ad2e66bc21358a1bfea95a95) in go-webrtc. The upgrade a...The primary goal of this upgrade was to simplify by removing `-D_GLIBCXX_USE_CXX11_ABI=1`, which is [no longer required](https://github.com/keroserene/go-webrtc/commit/a3140c36f9933013ad2e66bc21358a1bfea95a95) in go-webrtc. The upgrade also required upgrades of the dependencies webrtc and depot_tools.
I tested this with `make testbuild` and running the linux-x86_64 build. I haven't run the linux-i686 and osx-x86_64 builds.https://gitlab.torproject.org/legacy/trac/-/issues/28722Add cs el hu ka locales to the Tor Browser download pages2020-06-13T17:27:18ZboklmAdd cs el hu ka locales to the Tor Browser download pagesIn #28082 we added 4 new locales to Tor Browser. We should also add them to the alpha download pages.In #28082 we added 4 new locales to Tor Browser. We should also add them to the alpha download pages.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/28720NoScript is blocking some videos outright starting with 10.1.9.2rc2 on securi...2020-06-16T01:01:51ZGeorg KoppenNoScript is blocking some videos outright starting with 10.1.9.2rc2 on security level "safer"STR:
1) Take a clean Tor Browser
2) Set the security slider level to "safer" (click on the onion in the toolbar -> Security Settings... -> drag the slider to the medium level)
3) Load https://developer.mozilla.org/samples/video/chroma-k...STR:
1) Take a clean Tor Browser
2) Set the security slider level to "safer" (click on the onion in the toolbar -> Security Settings... -> drag the slider to the medium level)
3) Load https://developer.mozilla.org/samples/video/chroma-key/index.xhtml
4) You get the message "No video with supported format and MIME type found." without the option to override this in order to watch the video.
Expected results:
The NoScript placeholder allowing to watch the video after clicking on it and confirming.
The last good version is NoScript 10.1.9.2rc1 and the first bad one 10.1.9.2rc2
This got reported on our blog: https://blog.torproject.org/comment/278685#comment-278685ma1ma1https://gitlab.torproject.org/legacy/trac/-/issues/28697Our QA and testing .apks are signed with a key per build2020-06-16T00:58:51ZGeorg KoppenOur QA and testing .apks are signed with a key per buildFor every .apk build we do a
```
keytool -genkey -v -keystore qa.keystore -storepass android -alias androidqakey -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Tor QA,O=Tor,C=US"
```
which
a) results in di...For every .apk build we do a
```
keytool -genkey -v -keystore qa.keystore -storepass android -alias androidqakey -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Tor QA,O=Tor,C=US"
```
which
a) results in differences between the resulting .apk files defeating our reproducible builds goal and
b) results in a hassle testing those .apk files by trying to overwrite an older installation: the keys must be the same, otherwise the app would not get installed over the already available one.https://gitlab.torproject.org/legacy/trac/-/issues/28696Changing paths to Gradle dependencies are included in build2020-06-16T00:58:50ZGeorg KoppenChanging paths to Gradle dependencies are included in buildTo use the downloaded Gradle dependencies for our Android Tor Browser we do
```
export GRADLE_MAVEN_REPOSITORIES="file://$rootdir/[% c('input_files_by_name/gradle-dependencies') %]"
```
`$rootdir`, however, results in including a chang...To use the downloaded Gradle dependencies for our Android Tor Browser we do
```
export GRADLE_MAVEN_REPOSITORIES="file://$rootdir/[% c('input_files_by_name/gradle-dependencies') %]"
```
`$rootdir`, however, results in including a changing path into the final .apk as it gets embedded into `chrome/toolkit/content/global/buildconfig.html`. The result is something like "file:///var/tmp/tmp.Flce6AvlTV/gradle-dependencies-3" which breaks our reproducible builds.https://gitlab.torproject.org/legacy/trac/-/issues/28695Set BRNameMatchingPolicy to "Enforce"2020-06-16T00:58:50ZTracSet BRNameMatchingPolicy to "Enforce"https://bugzilla.mozilla.org/show_bug.cgi?id=1461373
**Trac**:
**Username**: omghttps://bugzilla.mozilla.org/show_bug.cgi?id=1461373
**Trac**:
**Username**: omghttps://gitlab.torproject.org/legacy/trac/-/issues/28608Disable HTTP response throttling by default2020-06-16T00:58:34ZTracDisable HTTP response throttling by defaulthttps://bugzilla.mozilla.org/show_bug.cgi?id=1503354
**Trac**:
**Username**: omghttps://bugzilla.mozilla.org/show_bug.cgi?id=1503354
**Trac**:
**Username**: omghttps://gitlab.torproject.org/legacy/trac/-/issues/28573Make testbuild target work for multi-locale Android2020-06-16T00:53:05ZGeorg KoppenMake testbuild target work for multi-locale AndroidThe testbuild target just provides a single bundle for our platforms to allow a quick test of changes without generating .mar files or localized bundles.
However, that currently breaks generating multi-locale Android .apks with the test...The testbuild target just provides a single bundle for our platforms to allow a quick test of changes without generating .mar files or localized bundles.
However, that currently breaks generating multi-locale Android .apks with the testbuild target as the step of ignoring non-en-US locales is not done at the packaging step but right from the beginning. The result is that the checkout and assembly of the `firefox-locale-bundle` is failing ("failing" in the sense that no or potentially the wrong localized files are zipped up; the build of the component itself is not failing).https://gitlab.torproject.org/legacy/trac/-/issues/2854012/11 release Banner text2020-06-16T00:53:02ZSarah Stevenson12/11 release Banner textPlease create the following 6 banners where:
[Line 1, non-variable] Tor: Strength in Numbers
[Line 2, variable]
1. Keep Tor strong. Give today, and Mozilla will match your donation. https://marvelapp.com/a131e34/screen/48876408
2. ...Please create the following 6 banners where:
[Line 1, non-variable] Tor: Strength in Numbers
[Line 2, variable]
1. Keep Tor strong. Give today, and Mozilla will match your donation. https://marvelapp.com/a131e34/screen/48876408
2. Mozilla is matching every donation until 2019. Give now, and your gift becomes twice as strong.
^^ please notice that the 'Give today, and Mozilla will match your donation" phrase will change here and be: "Give now, and your gift becomes twice as strong."
3. Support internet freedom. Give today, and Mozilla will match your donation.
4. Defend the open web. Give today, and Mozilla will match your donation.
5. Support privacy and freedom online. Give today, and Mozilla will match your donation.
6. We need your support. Every dollar counts. Give today, and Mozilla will match your donation.
[Button]:
“Count me in.” To be used in English.
“Donate now.” To be used for all other languages.https://gitlab.torproject.org/legacy/trac/-/issues/28185Add smallerRichard obfs4 bridge to Tor Browser2020-06-16T00:52:25ZDavid Gouletdgoulet@torproject.orgAdd smallerRichard obfs4 bridge to Tor Browser```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
Attached to this ticket is a patch (signed) on Tor Browser to add a new default
fast obfs4proxy bridge named "smallerRichard".
The operator is Louis-Philippe Véronneau a.k.a "...```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
Attached to this ticket is a patch (signed) on Tor Browser to add a new default
fast obfs4proxy bridge named "smallerRichard".
The operator is Louis-Philippe Véronneau a.k.a "pollo", well known to me
(dgoulet) and micah (longclaw). Also a Debian Developer:
https://nm.debian.org/person/pollo
Bridge is running on a server co-owned by two large student associations in
Quebec at the OVH datacenter in Montreal. pollo is the sysadmin.
Bandwidth is set to these which is equivalent to ~100Mbps:
BandwidthRate 12500 KBytes
BandwidthBurst 12500 KBytes
Finally, the ORPort on 443 has been firewalled.
Cheers!
David
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAlvQrsYACgkQQuhqKhH0
jTYpkwf8CHitQI3Ei7YBHGFfXf8+n4SZ3eTW2k8P6yeOMDf3QOvscpt01zi589pC
HSqb1dxaWM4YfZlaho7C9rGzW1EtlkixD5H7FHKgKA80FBKWBlHGZsnY1EDe2jbp
6XchwXN9X4FMCO/MEeg5HVYxl3dkyUFmUaRSns717+pDRBu6wWczdVehU6EtoVGC
zRYoxhnbaLr82Q4qfLv2izRo9VOASyu5Ean++wP5Xrd82rM/69aQaYklBKA6+MBO
hyqRPt6sQknPMMndOH8r2O5raRFaGLdm/Lm4CDtRODw45bJlZzeBHnnBlhcnI9aH
z0nqyVo12exzfNTo8aydsr38gyEAqA==
=rJ+0
-----END PGP SIGNATURE-----
```https://gitlab.torproject.org/legacy/trac/-/issues/28075Torbutton WARN: no SOCKS credentials found for current document.2020-06-16T00:52:09ZtraumschuleTorbutton WARN: no SOCKS credentials found for current document.This warning appears in the log quite often. It might be benign and can probably be downgraded to INFO or DEBUG.
> Torbutton WARN: no SOCKS credentials found for current document.
I can trigger this message setting `app.update.log` to ...This warning appears in the log quite often. It might be benign and can probably be downgraded to INFO or DEBUG.
> Torbutton WARN: no SOCKS credentials found for current document.
I can trigger this message setting `app.update.log` to true in about:config and opening the noscript settings.
found this also in #27828, #27221, #26579, #25946, #24654, #24263, #20195, #18138
Another message that appears on moz-extension://ff54e967-998f-4b5d-84b4-1aedfa73532d/ui/options.html:
>JavaScript error: moz-extension://ff54e967-998f-4b5d-84b4-1aedfa73532d/lib/Messages.js, line 0: Error: Message broadcastSettings {"tabId":-1,"__meta":{"name":"broadcastSettings","recipientInfo":null},"_messageName":"broadcastSettings"} looping to its sender (moz-extension://ff54e967-998f-4b5d-84b4-1aedfa73532d/ui/options.html#;tab-main-tabs=3)
(can't remember to have seen this before so it could have been introduced in Noscript 10.1.9.9)https://gitlab.torproject.org/legacy/trac/-/issues/27919Backport SSL status API to Tor Browser alpha2020-06-16T00:51:41ZGeorg KoppenBackport SSL status API to Tor Browser alphaWe'd like to test selfauthenticating subdomains in nightly/alpha releases. We need to backport the WebExtensions SSL status API for that. This includes patches for
https://bugzilla.mozilla.org/show_bug.cgi?id=1322748 and child bugs.We'd like to test selfauthenticating subdomains in nightly/alpha releases. We need to backport the WebExtensions SSL status API for that. This includes patches for
https://bugzilla.mozilla.org/show_bug.cgi?id=1322748 and child bugs.