Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-15T23:42:45Zhttps://gitlab.torproject.org/legacy/trac/-/issues/12212Disable deprecated Audio Data API2020-06-15T23:42:45ZMike PerryDisable deprecated Audio Data APIiSec pointed out that the Audio Data API was superceded by the WebAudio API, but it remains on by default in the Firefox 24ESR series. This is bad for business, especially given how many vulnerabilities have been in WebAudio. There is a ...iSec pointed out that the Audio Data API was superceded by the WebAudio API, but it remains on by default in the Firefox 24ESR series. This is bad for business, especially given how many vulnerabilities have been in WebAudio. There is a risk that similar vulnerabilies have simply gone unfixed in AudioData.
https://bugzilla.mozilla.org/show_bug.cgi?id=927245
The pref is media.audio_data.enabled.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/12150Fonts limit bypass with iframes2020-06-13T03:54:26ZTracFonts limit bypass with iframesIt is possible to bypass max font using iframe (also object/frame i guess),
1st demo shows that each iframe instance has own max_font.
If you create many iframes with less than max_fonts in each, it not reset window.parent fonts.
http:...It is possible to bypass max font using iframe (also object/frame i guess),
1st demo shows that each iframe instance has own max_font.
If you create many iframes with less than max_fonts in each, it not reset window.parent fonts.
http://pastebin.com/raw.php?i=MkqVQv8x
2nd, full bruteforce script with 512 fonts array.
It dynamically creates many iframes with N fonts in each.
Each iframe separately executes typical js/css detection mmmmlliii script with a short given set of fonts, and sends offsetWidth/Heights to parent script via postMessage.
Parent script collect all answers and then compare results.
http://pastebin.com/raw.php?i=D8DWb47X
**Trac**:
**Username**: jaedoMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/12050Network prefetch on or off in TorBrowser ?2014-05-19T13:25:24ZTracNetwork prefetch on or off in TorBrowser ?Doing about:config shows that:
network.dns.disablePrefetch = true
network.prefetch-next;true
On the one hand it looks as though it's disabled, on the other it's on. I don't know which value has more precidence in FF here.
Is this on o...Doing about:config shows that:
network.dns.disablePrefetch = true
network.prefetch-next;true
On the one hand it looks as though it's disabled, on the other it's on. I don't know which value has more precidence in FF here.
Is this on or off ? It should be off, there should be no dns lookups or starting to download urls without user action.
Apologies if this has already been covered.
v. 3.6 (i think)
**Trac**:
**Username**: DrMikeTwiddleMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11817Avoid sending browser startup time information to Mozilla2020-06-13T03:24:25ZMike PerryAvoid sending browser startup time information to MozillaIn https://lists.torproject.org/pipermail/tor-talk/2014-May/032889.html, someone suggested disabling the addon metadata queries to Mozilla. The data doesn't seem that harmful (they don't mention tying it to a unique identifier or cookies...In https://lists.torproject.org/pipermail/tor-talk/2014-May/032889.html, someone suggested disabling the addon metadata queries to Mozilla. The data doesn't seem that harmful (they don't mention tying it to a unique identifier or cookies) but I guess we might as well disable it. I don't like the fact that it sends browser startup time at least. That should be part of Telemetry, not addon metadata retrieval.
https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
The pref is extensions.getAddons.cache.enabled -> false.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11816Remove hard-coded i686-w64-mingw32-widl2014-05-09T07:47:05ZGeorg KoppenRemove hard-coded i686-w64-mingw32-widlLanding the refactored Windows build descriptors (#10120) breaks the Tor Browser build with a hard-coded i686-w64-mingw32-widl. We should therefore just get rid of the respective mozconfig line.Landing the refactored Windows build descriptors (#10120) breaks the Tor Browser build with a hard-coded i686-w64-mingw32-widl. We should therefore just get rid of the respective mozconfig line.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11493connections to 127.0.0.1 no longer possible2014-04-12T18:27:16Zproperconnections to 127.0.0.1 no longer possibleNo longer allowing connections to 127.0.0.1 at all (#10419) is a huge disadvantage.
* Users using the i2p web interface can no longer use it using Tor Browser.
* Users wanting to visit their own hidden service using 127.0.0.1 won't be a...No longer allowing connections to 127.0.0.1 at all (#10419) is a huge disadvantage.
* Users using the i2p web interface can no longer use it using Tor Browser.
* Users wanting to visit their own hidden service using 127.0.0.1 won't be able to do so anymore.
And what will they do? Using a regular browser. And being worse off.
Can you allow connections to 127.0.0.1 will still defeating fingerprinting issues (#10419) please?Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11433window.sidebar.addSearchEngine leaks installation paths on OSX and Windows.2014-04-25T18:21:19ZArthur Edelsteinwindow.sidebar.addSearchEngine leaks installation paths on OSX and Windows.Previously reported as part of #9308. Open ESR-24-based TBB on Windows or Mac, start the Web Console, and enter the line
`window.sidebar.addSearchEngine("http://", "http://", null, null);`
The resulting Exception reads
```
[Exception.....Previously reported as part of #9308. Open ESR-24-based TBB on Windows or Mac, start the Web Console, and enter the line
`window.sidebar.addSearchEngine("http://", "http://", null, null);`
The resulting Exception reads
```
[Exception... "addEngine: Error adding engine:
[Exception... "Component returned failure code: 0x804b000a (NS_ERROR_MALFORMED_URI) [nsIIOService.newChannelFromURI]" nsresult: "0x804b000a (NS_ERROR_MALFORMED_URI)" location: "JS frame :: jar:file:///Applications/TorBrowserBundle_en-US.app/Contents/MacOS/TorBrowser.app/Contents/MacOS/omni.ja!/components/nsSearchService.js :: SRCH_ENG_initFromURI :: line 1201" data: no]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: jar:file:///Applications/TorBrowserBundle_en-US.app/Contents/MacOS/TorBrowser.app/Contents/MacOS/omni.ja!/components/nsSearchService.js :: FAIL :: line 264" data: no]
```
which includes the path
`file:///Applications/TorBrowserBundle_en-US.app/Contents/MacOS/TorBrowser.app/Contents/MacOS/omni.ja!/components/nsSearchService.js`
Depending on where TBB is installed, the path may include the User directory and thus may leak private information to client-side JS web code.
Note that this bug no longer obtains in ESR-31. The bug that fixed this was
"Port window.sidebar and window.external to WebIDL", https://bugzilla.mozilla.org/show_bug.cgi?id=983920
patch: https://hg.mozilla.org/mozilla-central/rev/d9e6a6c40a57Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11310TOR browser stops when access hidden .onion2020-06-13T03:10:26ZTracTOR browser stops when access hidden .onionTOR browser stops working after trying to access hidden/dark/deep web... have tried to re-install TOR and set only things that may conflict, have tried leaving all settings default.
has only happened since i have use my new (personally ...TOR browser stops working after trying to access hidden/dark/deep web... have tried to re-install TOR and set only things that may conflict, have tried leaving all settings default.
has only happened since i have use my new (personally built) computer... making me think that it is somehow connected to Win7 64bit pro OS.
the program works fine when browsing clear net then crashes and wont start again only after trying to view hidden wiki and .onion sites etc.
(wondering also if this could possibly be something in the registery blocking TOR/vidalia from working outright)
informaion from crash 'program not working' popup:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 24.4.0.0
Application Timestamp: 386d4380
Fault Module Name: d2d1.dll
Fault Module Version: 6.2.9200.16765
Fault Module Timestamp: 528bf6b2
Exception Code: c0000005
Exception Offset: 002284f6
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
is this .dll file included with the TOR browser, is it missing, or conflicting somehow as well?
**Trac**:
**Username**: sbseedMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11260ASSERTIONs in font-face related code2014-06-23T09:19:39ZGeorg KoppenASSERTIONs in font-face related codeI get assertions when requesting https://code.google.com/codejam/contest/registration:
```
###!!! ASSERTION: bad font face url passed to fontloader: 'aFontFaceSrc && !aFontFaceSrc->mIsLocal', file /home/firefox/tor-browser/layout/style/n...I get assertions when requesting https://code.google.com/codejam/contest/registration:
```
###!!! ASSERTION: bad font face url passed to fontloader: 'aFontFaceSrc && !aFontFaceSrc->mIsLocal', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 821
###!!! ASSERTION: null font uri: 'aFontFaceSrc->mURI', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 822
###!!! ASSERTION: bad font face url passed to fontloader: 'aFontFaceSrc && !aFontFaceSrc->mIsLocal', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 821
###!!! ASSERTION: null font uri: 'aFontFaceSrc->mURI', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 822
###!!! ASSERTION: bad font face url passed to fontloader: 'aFontFaceSrc && !aFontFaceSrc->mIsLocal', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 821
###!!! ASSERTION: null font uri: 'aFontFaceSrc->mURI', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 822
###!!! ASSERTION: bad font face url passed to fontloader: 'aFontFaceSrc && !aFontFaceSrc->mIsLocal', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 821
###!!! ASSERTION: null font uri: 'aFontFaceSrc->mURI', file /home/firefox/tor-browser/layout/style/nsFontFaceLoader.cpp, line 822
```
This does not happen in a vanilla 24.4.0 ESR.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11253Turn on TLS 1.1 and 1.2 in TorBrowser2020-06-15T23:42:45ZTracTurn on TLS 1.1 and 1.2 in TorBrowserTLS 1.1 and TLS 1.2 support is already implemented in FF 24 ESR, but for some unknown reason Mozilla haven't truned it on by default, even though TLS 1.1 and 1.2 is supported by Chrome, IE, Opera, and FF stable (the non-ESR version).
Th...TLS 1.1 and TLS 1.2 support is already implemented in FF 24 ESR, but for some unknown reason Mozilla haven't truned it on by default, even though TLS 1.1 and 1.2 is supported by Chrome, IE, Opera, and FF stable (the non-ESR version).
Thru about:config, search for security.tls.version.max and replace 1 with 3 and that's it.
Note we're not disabling SSL 3.0 so no sites at all will be broken.
The reasons and benefits for enaling TLS 1.1 and 1.2 are obvious and self-evident, including
-higher security for encrypted traffic to websites leaving Tor exit nodes
-Making the said traffic ubove resistant to cryptanalysis and sniffing
There are no draw backs from this upgrade because SSL 3.0 will not be disbaled and hence websites not supporting TLS 1.1 and 1.2 will not be broken and will function as normal.
**Trac**:
**Username**: YunoTLSMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11012Download warning is unclear2014-02-24T08:47:04ZMatt PaganDownload warning is unclearUsers do not understand what the download warning message means. The help desk often gets requests asking for clarification of this message. The message is
```
An external application is needed to handle:
%s
NOTE: External application...Users do not understand what the download warning message means. The help desk often gets requests asking for clarification of this message. The message is
```
An external application is needed to handle:
%s
NOTE: External applications are NOT Tor safe by default and can unmask you!
If this file is untrusted, you should either save it to view while offline or in a VM,
or consider using a transparent Tor proxy like Tails LiveCD or torsocks.
```
I propose the message be replaced with a shorter, more direct message in simpler language. https://gitlab.torproject.org/legacy/trac/-/issues/10948TorBrowser's About page says Tor Project but has links to Mozilla2014-02-20T10:46:39ZKarsten LoesingTorBrowser's About page says Tor Project but has links to MozillaThis is TorBrowserBundle-3.5.2-osx32_en-US.zip. When I go to About, it says "TorBrowser is designed by Tor Project, a global community working together to keep the Web open, public and accessible to all. [...] Get involved!" But all li...This is TorBrowserBundle-3.5.2-osx32_en-US.zip. When I go to About, it says "TorBrowser is designed by Tor Project, a global community working together to keep the Web open, public and accessible to all. [...] Get involved!" But all links go to Mozilla, which is probably not intended.
Also should the text be more Tor specific?Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10895Localizations are broken in TBB 3.5.22020-06-13T03:20:47ZGeorg KoppenLocalizations are broken in TBB 3.5.2We have numerous reports that all localizations are broken with the new TBB 3.5.2. Here is what happened: While the language packs are okay with a min versions of 24.3.0 the TorBrowser claims to be 24.3.0esrpre. (See: config/milestone.tx...We have numerous reports that all localizations are broken with the new TBB 3.5.2. Here is what happened: While the language packs are okay with a min versions of 24.3.0 the TorBrowser claims to be 24.3.0esrpre. (See: config/milestone.txt in tor-browser.git). The parsers sees the latter as < 24.3.0 and therefore blocks the language packs. The rev used for rebasing the patches is the wrong one.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10833Screen resolution should not be identical to window size2014-02-08T15:26:02ZTracScreen resolution should not be identical to window sizeTorBrowser design doc https://www.torproject.org/projects/torbrowser/design/ states re screen resolution:
"report that the desktop is only as big as the inner content window"
Indeed, when I go to <http://browserspy.dk/screen.php> with T...TorBrowser design doc https://www.torproject.org/projects/torbrowser/design/ states re screen resolution:
"report that the desktop is only as big as the inner content window"
Indeed, when I go to <http://browserspy.dk/screen.php> with TorBrowser, I get a screen size of 1057x909.
This is an obvious way to find out Tor users, and also allows to track them even better than without this change. A screen (!) resolution of 1057x909 must really stand out and allow to track a user easily. This would stay the same across all sessions and sites and even reboots.
A window/content resolution of 1057x909 isn't very common either and problematic, but that problem exists independent of the screen resolution. This issue isn't theoretical: I heard about 5 years ago that even Google tracks users based on non-standard window resolution.
That said, a **screen** resolution of 1057x909 would appear only among TorBrowser users and thus be fairly unique world-wide.
**Trac**:
**Username**: benMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10819Create preference for DOM storage isolation and image cache isolation2022-06-16T02:51:54ZMike PerryCreate preference for DOM storage isolation and image cache isolationIn #6564, we created a patch to isolate DOM storage to first party domain. It could use a pref to control if it is enabled, and ideally also have an option to control if it only applies to private browsing mode windows (though that could...In #6564, we created a patch to isolate DOM storage to first party domain. It could use a pref to control if it is enabled, and ideally also have an option to control if it only applies to private browsing mode windows (though that could be a separate ticket if it is substantial).
Our patch for the isolation is here:
https://gitweb.torproject.org/tor-browser.git/commitdiff/1b3c110a29ae11b50ce2bf56d5954773262e67c0Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10593Clipboard data might be leaking2020-06-13T03:17:56ZGeorg KoppenClipboard data might be leakingSome preliminary testing in #10285 comment 1 showed that websites might listen at least to the paste event and obtain user sensitive data this way. A quick workaround is setting "dom.event.clipboardevents.enabled" to "false".Some preliminary testing in #10285 comment 1 showed that websites might listen at least to the paste event and obtain user sensitive data this way. A quick workaround is setting "dom.event.clipboardevents.enabled" to "false".Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10525Private Browsing remembers cookies2014-01-02T20:20:08ZTracPrivate Browsing remembers cookiesI would just like to let you guys know that Firefox recently remembers cookies when you are in private browsing mode.
Cookies are not displayed in the show cookies window and therefor cannot be managed (cleared by the user). This gives t...I would just like to let you guys know that Firefox recently remembers cookies when you are in private browsing mode.
Cookies are not displayed in the show cookies window and therefor cannot be managed (cleared by the user). This gives the user a false impression that the cookies are not stored. The cookies are "remembered" throughout the entire session (until Firefox is closed) and is therefor available to any website throughout the session.
Do yourself a favor and test it: [www.html-kit.com/tools/cookietester/]
The only way ive managed to get past it,
> is by setting Firefox to "use custom settings for history"
> to only check "accept cookies from sites",
> "never" to "accept third-party cookies"
> and to "keep cookies until i close the browser"
> with an addon called "self destruct cookies" installed, which clears cookies per browsing tab as tabs are closed.
This clears the cookies of a tab once the tab is closed, while still allowing websites, that need cookies to function (like gmail), to work.
Hopes this helps
**Trac**:
**Username**: jannieMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10419Can requests to 127.0.0.1 be used to fingerprint the browser?2020-06-15T23:18:12ZMike PerryCan requests to 127.0.0.1 be used to fingerprint the browser?If a site makes connection attempts or element loads sourced for 127.0.0.1, can it build a list of open local TCP ports for fingerprinting purposes? Open ports may yield different error conditions than closed ports for certain request ty...If a site makes connection attempts or element loads sourced for 127.0.0.1, can it build a list of open local TCP ports for fingerprinting purposes? Open ports may yield different error conditions than closed ports for certain request types and elements..
There may be other vectors to to this through DNS rebinding too, but I believe in those cases the hostname should always be provided to the SOCKS port, and such connections will happen to the exit, which should block them.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10285Write test pages for certain FF24 features2020-06-13T02:48:57ZMike PerryWrite test pages for certain FF24 featuresThere are a couple of new Firefox features that may behave in unacceptable ways on some platforms. In particular, the web notifications api (https://developer.mozilla.org/en-US/docs/WebAPI/Using_Web_Notifications) could potentially intro...There are a couple of new Firefox features that may behave in unacceptable ways on some platforms. In particular, the web notifications api (https://developer.mozilla.org/en-US/docs/WebAPI/Using_Web_Notifications) could potentially introduce proxy bypass similar to what we saw with drag and drop url sniffing by the OS Desktop.
Similarly, if https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent.clipboardData is able to randomly inspect the clipboard, this could be very privacy invasive. We should ensure that the clipboard APIs either ask the user first, or otherwise only interact with clipboard data originating from that same page.
There were also some changes to the Download Manager in terms of how it executes helper apps, and to the external app launcher's threading behavior. We should verify that our external app blocker still asks the user for confirmation in these cases:
https://bugzilla.mozilla.org/show_bug.cgi?id=858234
https://bugzilla.mozilla.org/show_bug.cgi?id=789932
Finally, support for querying and inspecting font variants was introduced. Do our font limit counters still apply in that case? Should they?
https://bugzilla.mozilla.org/show_bug.cgi?id=549861Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/legacy/trac/-/issues/10111Collect patches for making the Firefox build system deterministic and file Mo...2020-06-13T03:20:41ZGeorg KoppenCollect patches for making the Firefox build system deterministic and file Mozilla bugsToday indygreg/gps (Gregory Szorc) showed up on #tor-dev and asked about our deterministic build setup. He said they would probably take the build system bits and merge them into m-c. We should bundle them (I was not able to find them, a...Today indygreg/gps (Gregory Szorc) showed up on #tor-dev and asked about our deterministic build setup. He said they would probably take the build system bits and merge them into m-c. We should bundle them (I was not able to find them, actually) and create bugs in Mozilla's system.Mike PerryMike Perry