Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T17:44:21Zhttps://gitlab.torproject.org/legacy/trac/-/issues/31488moat: support a comma-separated list of transports in Tor config2020-06-13T17:44:21ZMark Smithmoat: support a comma-separated list of transports in Tor configThe enhancement we made for #29627 does not support a list of transports. This means that if the following is used, Tor Launcher will not detect that a PT that supports meek_lite is available:
```
ClientTransportPlugin meek_lite,obfs2,ob...The enhancement we made for #29627 does not support a list of transports. This means that if the following is used, Tor Launcher will not detect that a PT that supports meek_lite is available:
```
ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit exec ./TorBrowser/Tor/PluggableTransports/obfs4proxy
```
Kathy and I will post a patch soon.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/31487Modify moat client code so it is compatible with ESR682020-06-13T17:44:21ZMark SmithModify moat client code so it is compatible with ESR68While working on #29430, Kathy and I found some incompatibilities in Tor Launcher's moat client code (src/modules/tl-bridgedb.jsm). All of the problems are due to Firefox internal API changes. While working on #31300, we did not exercise...While working on #29430, Kathy and I found some incompatibilities in Tor Launcher's moat client code (src/modules/tl-bridgedb.jsm). All of the problems are due to Firefox internal API changes. While working on #31300, we did not exercise this code so we did not find these problems then.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/30237Tor Browser: Improve TBB UI of hidden service client authorization2020-06-16T01:13:13ZGeorge KadianakisTor Browser: Improve TBB UI of hidden service client authorizationThis is the parent ticket for Sponsor27 Objective1 Activity1 about improving the UI of client authorization.
This used to be #14389, but it contained too many network-team-specific information so I repurposed #14389 to be about the net...This is the parent ticket for Sponsor27 Objective1 Activity1 about improving the UI of client authorization.
This used to be #14389, but it contained too many network-team-specific information so I repurposed #14389 to be about the network-team side of things, and please use this ticket for the Tor Browser side of things.
Resources about setting up client auth:
https://2019.www.torproject.org/docs/tor-onion-service.html.en#CookieAuthentication
https://lists.torproject.org/pipermail/tor-project/2019-January/002180.html
and https://github.com/torproject/tor/blob/7741b21d0e3afbfc6d60a852fce6992724c4ae71/doc/tor.1.txt#L3021
and https://github.com/torproject/tor/blob/7741b21d0e3afbfc6d60a852fce6992724c4ae71/doc/tor.1.txt#L1122Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/27905many occurrences of "Firefox" in about:preferences2020-06-16T00:51:40ZMark Smithmany occurrences of "Firefox" in about:preferencesThere are many occurrences of `Firefox` within about:preferences.There are many occurrences of `Firefox` within about:preferences.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/27348Tor Browser 8 onboarding UI bugs2020-06-16T00:49:40ZMark SmithTor Browser 8 onboarding UI bugsI am splitting the onboarding issues mentioned in #27301 out into this ticket:
The title of the card needs margin:
.onboarding-tour-description > h1 {margin: 16px 0;}
https://share.riseup.net/#CjGBhXPC7qgxKwwyh4Zljw
We really want gre...I am splitting the onboarding issues mentioned in #27301 out into this ticket:
The title of the card needs margin:
.onboarding-tour-description > h1 {margin: 16px 0;}
https://share.riseup.net/#CjGBhXPC7qgxKwwyh4Zljw
We really want green ticks' background that matches with illos green. How can we do it? is it css? Does Anto need to provide assets? FYI the green is #00DDB3
The scrollbars - Can we reduce margins or make them % to the windows in order to make them disappear?Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/27082enable a limited UITour2020-06-16T00:48:56ZMark Smithenable a limited UITourFor #25695, we plan to use Firefox's UITour implementation. However, in #19047, we disabled it for safety reasons. We will re-enable UITour but limit what it can do and which pages can use the functionality.For #25695, we plan to use Firefox's UITour implementation. However, in #19047, we disabled it for safety reasons. We will re-enable UITour but limit what it can do and which pages can use the functionality.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/26985help button icons missing2020-06-13T17:44:09ZMark Smithhelp button icons missingWhen Tor Launcher is running inside an ESR60-based Tor Browser, the bridge and proxy help button icons are missing. This is because we reused an image that was part of Firefox, and Mozilla removed the image sometime between ESR52 and ESR60.When Tor Launcher is running inside an ESR60-based Tor Browser, the bridge and proxy help button icons are missing. This is because we reused an image that was part of Firefox, and Mozilla removed the image sometime between ESR52 and ESR60.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/26961implement new user onboarding2020-06-16T00:48:44ZMark Smithimplement new user onboardingThis ticket is to track implementation of the new user onboarding portion of #25695.This ticket is to track implementation of the new user onboarding portion of #25695.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/26960implement new about:tor start page2020-06-16T00:48:43ZMark Smithimplement new about:tor start pageThis ticket is to track implementation of the start page portion of #25695.This ticket is to track implementation of the start page portion of #25695.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/26146Setting `general.useragent.override` does not spoof the platform part anymore...2020-06-16T00:46:22ZGeorg KoppenSetting `general.useragent.override` does not spoof the platform part anymore in ESR 60 which is confusingDespite updating `general.useragent.override` to match ESR 60 (done according to comment:16:ticket:25543) the platform part is not spoofed to Windows on my Linux box.
Now, that is intentional, see: https://bugzilla.mozilla.org/show_bug....Despite updating `general.useragent.override` to match ESR 60 (done according to comment:16:ticket:25543) the platform part is not spoofed to Windows on my Linux box.
Now, that is intentional, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1404608.
So, we probably should not set `general.useragent.override` at all anymore and just rely on the settings we get with `privacy.resistFingerprinting`? Because if we explicitly set it to the Windows UA but then don't get that, this is weird.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/24527Inform users in Tor Launcher of which settings are best for them based on the...2020-06-16T01:01:15ZArturo FilastòInform users in Tor Launcher of which settings are best for them based on their countryTor Browser Launcher would, for countries where we know Tor to either work for sure or not work for sure, advise users on whether to use a bridge or not.
This does open the question of "How does Tor Launcher know the country of the user...Tor Browser Launcher would, for countries where we know Tor to either work for sure or not work for sure, advise users on whether to use a bridge or not.
This does open the question of "How does Tor Launcher know the country of the user"?
I think this is at the end of the day a UX question, that can have various ways of doing it. For example you can have the user input their country (but that is maybe a bit sketchy from the users perspective) or you could show them a list of countries where tor is known to work OK and a list of where it's known to not work.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/22535searching from about:tor brings me to duckduckgo but my query is discarded2020-06-15T23:44:40ZRoger Dingledinesearching from about:tor brings me to duckduckgo but my query is discardedGo to about:tor and in the text box in the middle of the window, type foo and then either hit enter or click the magnifying glass.
It brings me to duckduckgo, but it doesn't carry the search query along with it -- I have to do my search...Go to about:tor and in the text box in the middle of the window, type foo and then either hit enter or click the magnifying glass.
It brings me to duckduckgo, but it doesn't carry the search query along with it -- I have to do my search query again once I'm at duckduckgo.
Things work fine from a blank tab, or from the little search box in the upper right.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/22496Check that updater changes coming with Firefox 52.2.0esr are unproblematic fo...2020-06-15T23:44:32ZGeorg KoppenCheck that updater changes coming with Firefox 52.2.0esr are unproblematic for Tor BrowserThere are a bunch of code changes regarding the updater code that are not in Firefox 52.1.xesr but Firefox 52.2.0esr (or code that could become that version).
Here are some of the changesets we should double check:
https://hg.mozilla.o...There are a bunch of code changes regarding the updater code that are not in Firefox 52.1.xesr but Firefox 52.2.0esr (or code that could become that version).
Here are some of the changesets we should double check:
https://hg.mozilla.org/releases/mozilla-esr52/rev/e72789cd4486e5d309a127b6790398ca4689f44b
https://hg.mozilla.org/releases/mozilla-esr52/rev/fe41acbfab790675cee9f7305b7ca0db2ca6637b
https://hg.mozilla.org/releases/mozilla-esr52/rev/61066f53c6e0234c2f55ae43329d4b8d2b7b3b57
https://hg.mozilla.org/releases/mozilla-esr52/rev/c15b2a5abf1ca5c4169ef6340be56a25b5ec4f45
https://hg.mozilla.org/releases/mozilla-esr52/rev/3a49fe1696720a9586e37ab5d37d886987820b46
There might be more. Skimming over them I think we should be unaffected as they are maintenance service related which we disable. But I might have missed other changesets or read the code wrongly. mcs: I have access to the two security bugs. If you need further information, let me know.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/22283Linux 7.0a4 broken after update: "Directory /run/user/$uid/Tor does not exist."2020-06-13T17:43:36ZMark SmithLinux 7.0a4 broken after update: "Directory /run/user/$uid/Tor does not exist."After Tor Browser 7.0a3 is updated to 7.0a4 on Linux, it fails to start up. The problem is that the code we wrote for #20761 to remove `ControlPort` and `SocksPort` lines from the user's torrc only removes Unix domain socket lines if the...After Tor Browser 7.0a3 is updated to 7.0a4 on Linux, it fails to start up. The problem is that the code we wrote for #20761 to remove `ControlPort` and `SocksPort` lines from the user's torrc only removes Unix domain socket lines if the browser is configured to use Unix domain sockets, which it is not in 7.0a4. This means that after updating to 7.0a4, Tor Launcher starts tor so that TCP is used for the control port and SOCKS port, but lines like the following are left behind in torrc:
```
ControlPort unix:/run/user/1001/Tor/control.socket
SocksPort unix:/run/user/1001/Tor/socks.socket IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth
```
Unfortunately, the parent directory (in this example, `/run/user/1001/Tor`) does not exist because Tor Launcher removes it when it exits and does not create it because it does not think Unix domain sockets are being used.
A similar problem occurs on OSX, but the parent directory is always `.../TorBrowser-Data/Tor` which happens to exist for other reasons (i.e., that's where torrc is located), so on OSX Tor Browser starts up and there are both TCP and Unix domain socket listeners.
One workaround is for users to edit their torrc and remove the `ControlPort` and `SocksPort` lines manually.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/22104Adjust #19837 for ff52-esr (update our content policy whitelist)2020-06-15T23:43:22ZcypherpunksAdjust #19837 for ff52-esr (update our content policy whitelist)No controls are visible and
```
[...] TypeError: this.scrubber.valueChanged is not a function videocontrols.xml:962:29
```No controls are visible and
```
[...] TypeError: this.scrubber.valueChanged is not a function videocontrols.xml:962:29
```Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/22044When I use the search box in the upper right it defaults to using youtube (on...2020-06-15T23:43:10ZTracWhen I use the search box in the upper right it defaults to using youtube (on macOS)when I use the search box in the upper right it defaults to using youtube instead of duckduckgo.
macOS 10.12.4 (16E195)
TBB 7.0a3
**Trac**:
**Username**: Dbryrtfbcbhgfwhen I use the search box in the upper right it defaults to using youtube instead of duckduckgo.
macOS 10.12.4 (16E195)
TBB 7.0a3
**Trac**:
**Username**: DbryrtfbcbhgfMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/21962Segmentation fault with "high" security when changing in about:addons to "Ext...2020-06-15T23:43:00ZTracSegmentation fault with "high" security when changing in about:addons to "Extensions" or "Appearance"Tor-Browser version: 7.0a3-build4, 64 bit Linux
The segmentation fault is maybe only the most annoying part of the underlying issue. If the security level is set to "High" and after a restart of Tor Browser, opening about:addons and try...Tor-Browser version: 7.0a3-build4, 64 bit Linux
The segmentation fault is maybe only the most annoying part of the underlying issue. If the security level is set to "High" and after a restart of Tor Browser, opening about:addons and trying to change to the "Extensions" or "Appearance" panel leads to a segmentation fault.
Other effects of setting the security level to "High" which may be related or may help you finding the root cause:
(after closing and restarting)
- the symbols in front of the panel descritions in about:preferences are not visible
- the checkboxes in about:preferences don't show a check mark or a dot if they are selected
Unfortunately I don't know how to debug this, but I hope you can reproduce this easily.
**Trac**:
**Username**: viktorjMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/21948Going back to about:tor page gives a "The address isn’t valid"-error2020-06-15T23:42:50ZGeorg KoppenGoing back to about:tor page gives a "The address isn’t valid"-errorAfter start-up the `about:tor` page is shown. If one enters a URL (e.g. www.torproject.org) and tries to go back to `about:tor` afterwards a "The address isn’t valid"-error is shown instead. This works 6.5.2 as expected.After start-up the `about:tor` page is shown. If one enters a URL (e.g. www.torproject.org) and tries to go back to `about:tor` afterwards a "The address isn’t valid"-error is shown instead. This works 6.5.2 as expected.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/21940OSX updater: consider disabling privilege escalation2020-06-15T23:42:49ZMark SmithOSX updater: consider disabling privilege escalationIn Firefox 52 (since 49), the Firefox updater will attempt to gain elevated privileges on OSX if necessary to apply an update. See: https://bugzilla.mozilla.org/show_bug.cgi?id=394984
So far I have not tested this with an ESR52-based To...In Firefox 52 (since 49), the Firefox updater will attempt to gain elevated privileges on OSX if necessary to apply an update. See: https://bugzilla.mozilla.org/show_bug.cgi?id=394984
So far I have not tested this with an ESR52-based Tor Browser, but we should decide whether we want to leave this feature enabled or remove it before the first stable release of Tor Browser 7.0.
On Windows, we disabled similar code because (1) most Windows users probably do not install Tor Browser in a directory that requires admin privileges and (2) we did not want to audit the code (e.g., we did not want there to be a chance that someone could be tricked into granting more privileges, perhaps due to malware that took advantage of another security bug).
On OSX the situation is a little different because we do encourage people to drop TorBrowser.app into /Applications, which does require admin privileges. I personally use an account on OSX that has Admin privileges at all times, so updates work fine for me with TB 6.x and earlier... but that is not considered best security practice on OSX (actually, I usually do not install TB in /Applications at all because I keep several versions around to make it easier to triage bugs).
Cc: Tim and Linda who may also have some thoughts on this. To be sure, there is a security vs. usability tradeoff here.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/21879OSX: default bookmarks not used2020-06-16T01:08:00ZMark SmithOSX: default bookmarks not usedOur Tor Project bookmarks are not used by default in the ESR52-bssed TB nightly builds (I saw this problem on OSX with the builds mentioned here: comment:1:ticket:21875).
Although our bookmarks.html file is included in browser/omni.ja, ...Our Tor Project bookmarks are not used by default in the ESR52-bssed TB nightly builds (I saw this problem on OSX with the builds mentioned here: comment:1:ticket:21875).
Although our bookmarks.html file is included in browser/omni.ja, it seems to be ignored. Maybe ESR52 uses a new mechanism for configuring the default bookmarks.Mark SmithMark Smith