Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:28:29Zhttps://gitlab.torproject.org/legacy/trac/-/issues/14631Users that try to run from DMG files run into "Another copy of Firefox is run...2020-06-16T01:28:29ZArthur EdelsteinUsers that try to run from DMG files run into "Another copy of Firefox is running"Somehow we should figure out how to avoid this bug. Is it possible to write Firefox Profile files in /var/tmp or maybe not write them at all?Somehow we should figure out how to avoid this bug. Is it possible to write Firefox Profile files in /var/tmp or maybe not write them at all?Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/14205Closely review all uses of IsCallerChrome() for e10s2020-06-15T23:27:59ZMike PerryClosely review all uses of IsCallerChrome() for e10sA lot of our fingerprinting patches depend upon the accuracy is nsContentUtils::IsCallerChrome() to determine if it is content window or browser chrome accessing fingerprinting information.
IsCallerChrome() kind of scares me, and has h...A lot of our fingerprinting patches depend upon the accuracy is nsContentUtils::IsCallerChrome() to determine if it is content window or browser chrome accessing fingerprinting information.
IsCallerChrome() kind of scares me, and has had issues for unexpected contexts like WebWorkers (See #13027).
We should keep a close eye on this as we transition to e10s support post FF38, as who knows that the child/parent context relationship changes may do to various codepaths.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/14100Toggle NetworkSettings menuitem visibility based on an environment variable2020-06-15T23:22:56ZTracToggle NetworkSettings menuitem visibility based on an environment variableThis is a feature requested by some linux distros, where the "Open Network Settings..." menuitem in TorButton is unneeded. A patch is to be made so this menuitem becomes hidden if a certain environment variable is set.
**Trac**:
**Use...This is a feature requested by some linux distros, where the "Open Network Settings..." menuitem in TorButton is unneeded. A patch is to be made so this menuitem becomes hidden if a certain environment variable is set.
**Trac**:
**Username**: linostarMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13900Write Firefox patch for removing third-party HTTP authentication tokens2020-06-15T23:22:37ZGeorg KoppenWrite Firefox patch for removing third-party HTTP authentication tokensWe still remove third-party HTTP authentication tokens in the SafeCache related code. We should turn that into a C++ patch + a proper test and get rid of the JS code as it is not needed anymore since the fix for #13742 landed.We still remove third-party HTTP authentication tokens in the SafeCache related code. We should turn that into a C++ patch + a proper test and get rid of the JS code as it is not needed anymore since the fix for #13742 landed.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13889Tor Browser software updater should link to announcement2020-06-15T23:22:33ZRuna SandvikTor Browser software updater should link to announcementThe "View more information about this update"-link displayed by the Tor Browser software updater when a new update is available currently links to https://www.torproject.org/projects/torbrowser.html.en. If possible, it would be great to ...The "View more information about this update"-link displayed by the Tor Browser software updater when a new update is available currently links to https://www.torproject.org/projects/torbrowser.html.en. If possible, it would be great to see this link to a page that actually does contain information about the latest update, such as an announcement email or blog post.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13818[PATCH] Active tab looks ugly (inherits system color scheme only partially)2020-06-15T23:22:24ZTrac[PATCH] Active tab looks ugly (inherits system color scheme only partially)I use Tor Browser 4.5-alpha-1 on KDE, my gtk+ theme is oxygen-gtk. As I found from looking into sources of Tor Browser, when it renders site content, it uses some stand-ins for native colors to avoid browser fingerprinting. And these sta...I use Tor Browser 4.5-alpha-1 on KDE, my gtk+ theme is oxygen-gtk. As I found from looking into sources of Tor Browser, when it renders site content, it uses some stand-ins for native colors to avoid browser fingerprinting. And these stand-ins should not be used when rendering browser interface - the variable useStandinsForNativeColors in layout/style/nsRuleNode.cpp:890 (function SetColor):
bool useStandinsForNativeColors = aPresContext && !aPresContext->IsChrome();
But this condition is not enough to fully distinguish browser interface from site content. Look at the attached screenshot to see that left and right corners of active tab are lighter than middle of the tab - this is because the middle renders with system colors, and corners render with stand-ins while stand-ins should be really disabled for them.
I discovered that two files correspond for corners of the tab: chrome://browser/skin/tabbrowser/tab-selected-start.svg and chrome://browser/skin/tabbrowser/tab-selected-end.svg, and IsChrome() function returns false for this files, so stand-ins are used when they shouldn't.
I think that the attached patch should be used in order to handle correctly those two svg files.
**Trac**:
**Username**: gentoo_rootMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13594Tor Browser Bundle 4.0: updater fails on Windows2020-06-15T23:21:51ZTracTor Browser Bundle 4.0: updater fails on WindowsTor Browser Updates works fine on Windows 7 32-bit, but fails on Win XP sp3 32 bit
Steps to reproduce:
1) Download and install "torbrowser-install-4.0-alpha-3_es-ES.exe" or "torbrowser-install-4.0-alpha-3_en-US.exe" in a clean director...Tor Browser Updates works fine on Windows 7 32-bit, but fails on Win XP sp3 32 bit
Steps to reproduce:
1) Download and install "torbrowser-install-4.0-alpha-3_es-ES.exe" or "torbrowser-install-4.0-alpha-3_en-US.exe" in a clean directory from
https://archive.torproject.org/tor-package-archive/torbrowser/4.0-alpha-3/
2) Run installed Tor Browser from created shortcut
4) Go to Help ... About Tor Browser and press "Check for updates"
5) When download finishes, click on restart to apply update
Actual results:
Tor Browser won't update and also will not start anymore.
Update files are leaved on
\Tor Browser\Browser\TorBrowser\Data\Browser\Caches\firefox\updates\0
Expected Results:
Tor Browser should update from 4.0-aplha-3 to 4.0 stable as it does on Windows 7
Workaround:
Remove update files from "...\Tor Browser\Browser\TorBrowser\Data\Browser\Caches\firefox" to let non-updated TBB run again.
**Trac**:
**Username**: marcMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13548Create preference to disable MathML2020-06-15T23:21:42ZGeorg KoppenCreate preference to disable MathMLWe should have a way to disable MathML support in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.We should have a way to disable MathML support in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13512After update, load a static tab with change notes2020-06-15T23:29:15ZRoger DingledineAfter update, load a static tab with change notesWhen you get a new noscript update, it loads a tab for you to tell you what changed. Now, in the noscript case, it's doing this to sell you ads so it can profit from you, which is kind of annoying. But the general concept of telling our ...When you get a new noscript update, it loads a tab for you to tell you what changed. Now, in the noscript case, it's doing this to sell you ads so it can profit from you, which is kind of annoying. But the general concept of telling our users what changed would still be beneficial. Otherwise they have to (know to) find the info on the blog.
Good idea / bad idea?Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13379Sign our MAR files2020-06-16T01:01:41ZMike PerrySign our MAR filesThe MAR format supports embedded signatures. We should make use of this and sign our updates with a key that we embed in the browser.
This will require changes to our build process -- perhaps a post-processing signing step for MAR files...The MAR format supports embedded signatures. We should make use of this and sign our updates with a key that we embed in the browser.
This will require changes to our build process -- perhaps a post-processing signing step for MAR files on a dedicated machine.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13356symlinks missing after complete MAR file update2020-06-15T23:20:54ZMark Smithsymlinks missing after complete MAR file updateWhile testing using MAR files from our own nightly build, brade and I discovered that the meek symlinks (present on Mac OS) are removed after a complete MAR update is applied to TB 4.0-alpha-3. The problem is in the MAR file generation ...While testing using MAR files from our own nightly build, brade and I discovered that the meek symlinks (present on Mac OS) are removed after a complete MAR update is applied to TB 4.0-alpha-3. The problem is in the MAR file generation – specifically, we neglected to include the addsymlink directives in the updatev2.manifest file (we only put them in the new updatev3.manifest file that is used by ESR31 and newer browsers).Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13301Update from 4.0-alpha-2 to 4.0-alpha-3 told me all my extensions were incompa...2020-06-15T23:20:42ZRoger DingledineUpdate from 4.0-alpha-2 to 4.0-alpha-3 told me all my extensions were incompatibleMy TBB 4.0-alpha-2 (32-bit Linux) popped up a thing saying there was an update ready. I said 'ok get it'. A while later it popped up a window with the title "Software Update" which said that the following extensions were incompatible wit...My TBB 4.0-alpha-2 (32-bit Linux) popped up a thing saying there was an update ready. I said 'ok get it'. A while later it popped up a window with the title "Software Update" which said that the following extensions were incompatible with this new version, and they would be disabled until they were fixed to be compatible: Torbutton, Tor Launcher, HTTPS Everywhere.
My network here is really crappy -- is it possible there's some "try to reach the thing to check compatibility, if you time out, assume they're not compatible" logic somewhere?
(I'm assuming that the extensions do indeed self-identify as being compatible with all TBB 4.x.)Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13252Tor Browser on OS X should not store data into the application bundle2020-06-15T23:40:53ZTracTor Browser on OS X should not store data into the application bundle
The Tor application on OS X stores user data into its bundle (TorBrowser.app/Data/). This is bad. This causes various issues:
- the Tor application can't be code sign which decreases the security. See Ticket #13251: CodeSign Tor for OS...
The Tor application on OS X stores user data into its bundle (TorBrowser.app/Data/). This is bad. This causes various issues:
- the Tor application can't be code sign which decreases the security. See Ticket #13251: CodeSign Tor for OS X
- when installing a new version of Tor, all previous user data (bookmarks) are deleted.
**Trac**:
**Username**: torosxMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13138ESR31: about:tor shows "Tor is not working"2020-06-15T23:20:23ZMark SmithESR31: about:tor shows "Tor is not working"When running within an ESR31-based browser, the about:tor page always shows "Tor is not working in this browser". This happens because the mechanism Torbutton uses to detect load of the about:tor page has been removed from the Firefox c...When running within an ESR31-based browser, the about:tor page always shows "Tor is not working in this browser". This happens because the mechanism Torbutton uses to detect load of the about:tor page has been removed from the Firefox code (specifically, the BrowserOnAboutPageLoad() function has been removed from browser.js). Kathy Brade and I are working on a fix.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13091Use "Tor Browser" everywhere (space included)2020-06-15T23:27:21ZMark SmithUse "Tor Browser" everywhere (space included)This is a spinoff of bug #13087. We should change our .mozconfig files to have:
```
mk_add_options MOZ_APP_DISPLAYNAME="Tor Browser"
```
and see if that causes any problems. If not, this is a simple change.This is a spinoff of bug #13087. We should change our .mozconfig files to have:
```
mk_add_options MOZ_APP_DISPLAYNAME="Tor Browser"
```
and see if that causes any problems. If not, this is a simple change.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13049browser updater failure (self.update is undefined)2020-06-15T23:20:13ZMark Smithbrowser updater failure (self.update is undefined)In testing the updater using the candidate 4.0a2 builds, brade and I found a problem that causes the update to silently fail. On the browser console, we see:
```
[15:20:56.361] WARN addons.manager: Exception calling callback:
TypeErr...In testing the updater using the candidate 4.0a2 builds, brade and I found a problem that causes the update to silently fail. On the browser console, we see:
```
[15:20:56.361] WARN addons.manager: Exception calling callback:
TypeError: self.update is undefined @ chrome://browser/content/aboutDialog.js:439
```
It looks like we used self.update in a couple of functions where we should have used this.update. I am not sure why these code paths were not exercised in our earlier testing, but we are working on a fix right now.
If it is not too late, we should respin 4.0a2 to pick up this fix.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13047Updater should not send Kernel and GTK version2020-06-15T23:20:12ZGeorg KoppenUpdater should not send Kernel and GTK versionNot sure how exactly the script works that detects the .mar file the user needs to download but I guess the user should not be in a need to send the Kernel and GTK version to get the correct one. Testing a bit my update URL looks somethi...Not sure how exactly the script works that detects the .mar file the user needs to download but I guess the user should not be in a need to send the Kernel and GTK version to get the correct one. Testing a bit my update URL looks something like
https://www.torproject.org/dist/torbrowser/update/alpha/Linux_x86-gcc3/Linux%203.14-2-686-pae%20(GTK%202.24.24)/4.0-alpha-2/en-US?force=1
I somehow doubt we have an own directory for every Kernel+GTK combination. Thus, what the updater should send in my opinion is something like
https://www.torproject.org/dist/torbrowser/update/alpha/Linux_x86-gcc3/4.0-alpha-2/en-US?force=1
You have then the update channel, the platform + architecture, the current version and the language. That should be enough for a successful update.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13035Make sure our cache isolation works with cache22020-06-15T23:27:42ZGeorg KoppenMake sure our cache isolation works with cache2Mozilla wrote a new cache back-end which landed in the 32 release cycle and has a bunch of new features like
```
The new HTTP cache back end has many improvements like request prioritization optimized for first-paint time, ahead of read ...Mozilla wrote a new cache back-end which landed in the 32 release cycle and has a bunch of new features like
```
The new HTTP cache back end has many improvements like request prioritization optimized for first-paint time, ahead of read data preloading to speed up large content load, delayed writes to not block first paint time, pool of most recently used response headers to allow 0ms decisions on reuse or re-validation of a cached payload, 0ms miss-time look-up via an index, smarter eviction policies using frecency algorithm
```
(http://www.janbambas.cz/new-firefox-http-cache-enabled/)
We should make sure that our cache isolation patches get properly rewritten and no new information leaks occur.
See: https://bugzilla.mozilla.org/show_bug.cgi?id=913806 and https://developer.mozilla.org/en-US/docs/HTTP_Cache for further information.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13016Remove access to all Mozilla-prefixed media queries2020-06-15T23:24:36ZMike PerryRemove access to all Mozilla-prefixed media queriesIn Firefox25, Mozilla added a couple scary media queries (-moz-os-version and -moz-osx-font-smoothing).
I think we should get rid of these, as well as most/all of the prefixed media queries in https://developer.mozilla.org/en-US/docs/We...In Firefox25, Mozilla added a couple scary media queries (-moz-os-version and -moz-osx-font-smoothing).
I think we should get rid of these, as well as most/all of the prefixed media queries in https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries#-moz-os-version.
Either just disable them, or make them lie.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/12967Support a multi-lingual TBB that can switch between localizations2023-01-05T12:42:16ZMike PerrySupport a multi-lingual TBB that can switch between localizationsI think for our hardened and/or alpha series, we should just include all of our langpacks in one release, and ask the user for their language. The pref general.useragent.locale exists for this purpose.
The reason we want to do this is t...I think for our hardened and/or alpha series, we should just include all of our langpacks in one release, and ask the user for their language. The pref general.useragent.locale exists for this purpose.
The reason we want to do this is to avoid another 2G worth of dist files for the hardened series (which will also need special build options, like 64 bit on Windows and Mac).
This is probably a usability sinkhole, though :/Mark SmithMark Smith