Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T17:44:21Zhttps://gitlab.torproject.org/legacy/trac/-/issues/31488moat: support a comma-separated list of transports in Tor config2020-06-13T17:44:21ZMark Smithmoat: support a comma-separated list of transports in Tor configThe enhancement we made for #29627 does not support a list of transports. This means that if the following is used, Tor Launcher will not detect that a PT that supports meek_lite is available:
```
ClientTransportPlugin meek_lite,obfs2,ob...The enhancement we made for #29627 does not support a list of transports. This means that if the following is used, Tor Launcher will not detect that a PT that supports meek_lite is available:
```
ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit exec ./TorBrowser/Tor/PluggableTransports/obfs4proxy
```
Kathy and I will post a patch soon.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/31487Modify moat client code so it is compatible with ESR682020-06-13T17:44:21ZMark SmithModify moat client code so it is compatible with ESR68While working on #29430, Kathy and I found some incompatibilities in Tor Launcher's moat client code (src/modules/tl-bridgedb.jsm). All of the problems are due to Firefox internal API changes. While working on #31300, we did not exercise...While working on #29430, Kathy and I found some incompatibilities in Tor Launcher's moat client code (src/modules/tl-bridgedb.jsm). All of the problems are due to Firefox internal API changes. While working on #31300, we did not exercise this code so we did not find these problems then.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/31467Switch to clang for cctools project2020-06-16T01:06:40ZGeorg KoppenSwitch to clang for cctools projectWe switched away from the `llvm` project for being used in `firefox` and `macosx-toolchain` in favor of `clang`. We should do the same for `cctools` and then get rid of the `llvm` project altogether.We switched away from the `llvm` project for being used in `firefox` and `macosx-toolchain` in favor of `clang`. We should do the same for `cctools` and then get rid of the `llvm` project altogether.https://gitlab.torproject.org/legacy/trac/-/issues/31447Don't install python just for mach2020-06-16T01:06:34ZGeorg KoppenDon't install python just for machWe are currently installing `python` just for `mach`. If we need an extra Python here then we should use the one we build ourselves already (or amend that so that it can be used).We are currently installing `python` just for `mach`. If we need an extra Python here then we should use the one we build ourselves already (or amend that so that it can be used).https://gitlab.torproject.org/legacy/trac/-/issues/31396Communication with noscript for security settings not working in nightlies2020-06-16T01:08:12ZAlex CatarineuCommunication with noscript for security settings not working in nightliesIn current nightlies, changing security level does not modify NoScript settings. However, I verified that uninstalling the default NoScript, restarting the browser and installing NoScript from mozilla's addons page fixes this.In current nightlies, changing security level does not modify NoScript settings. However, I verified that uninstalling the default NoScript, restarting the browser and installing NoScript from mozilla's addons page fixes this.https://gitlab.torproject.org/legacy/trac/-/issues/31389Update Android Firefox to Build with Clang2020-06-16T01:06:27ZShane IsbellUpdate Android Firefox to Build with Clanghttps://gitlab.torproject.org/legacy/trac/-/issues/31388Update Rust Project for Android2020-06-16T01:06:26ZShane IsbellUpdate Rust Project for AndroidUpdate Rust Project for Android config optionsUpdate Rust Project for Android config optionshttps://gitlab.torproject.org/legacy/trac/-/issues/31322Fix about:tor assertion failure in esr68 linux debug builds2020-06-16T01:06:06ZAlex CatarineuFix about:tor assertion failure in esr68 linux debug buildsI found this assertion failure when testing #30429 in linux, debug build. It happens when loading `about:tor`:
`Assertion failure: foundDefaultSrc (about: page must contain a CSP including default-src), at /home/user/tor/tor-browser/dom...I found this assertion failure when testing #30429 in linux, debug build. It happens when loading `about:tor`:
`Assertion failure: foundDefaultSrc (about: page must contain a CSP including default-src), at /home/user/tor/tor-browser/dom/base/Document.cpp:5179`
We should investigate this, but not sure if it's `tbb-9.0-must-nightly`.https://gitlab.torproject.org/legacy/trac/-/issues/31300Modify Tor Launcher so it is compatible with ESR682020-06-13T17:44:20ZMark SmithModify Tor Launcher so it is compatible with ESR68In addition to removal of overlays (#29197), we must make other changes in Tor Launcher for ESR68 compatibility. For example, most of the "on" event attributes within XUL wizard elements have been replaced with events.In addition to removal of overlays (#29197), we must make other changes in Tor Launcher for ESR68 compatibility. For example, most of the "on" event attributes within XUL wizard elements have been replaced with events.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/31298Backport patch for #240562020-06-16T01:06:02ZAlex CatarineuBackport patch for #24056https://bugzilla.mozilla.org/show_bug.cgi?id=1561322https://bugzilla.mozilla.org/show_bug.cgi?id=1561322https://gitlab.torproject.org/legacy/trac/-/issues/31209View PDF in Tor browser is fuzzy2020-06-16T01:05:52ZTracView PDF in Tor browser is fuzzyThis is open in Edge(or other normal PDF viewer, include PDF.js):
![https://i.loli.net/2019/07/21/5d342843868e089809.png](https://i.loli.net/2019/07/21/5d342843868e089809.png)
This is open in Tor browser(with PDF.js):
![https://i.loli.ne...This is open in Edge(or other normal PDF viewer, include PDF.js):
![https://i.loli.net/2019/07/21/5d342843868e089809.png](https://i.loli.net/2019/07/21/5d342843868e089809.png)
This is open in Tor browser(with PDF.js):
![https://i.loli.net/2019/07/21/5d342843dd2f844657.png](https://i.loli.net/2019/07/21/5d342843dd2f844657.png)
It's same with all PDF.
**Trac**:
**Username**: nullhttps://gitlab.torproject.org/legacy/trac/-/issues/31173Update android-toolchain project to match firefox2020-06-16T01:05:48ZShane IsbellUpdate android-toolchain project to match firefoxThis includes ndk 17 and android build tools 27.This includes ndk 17 and android build tools 27.https://gitlab.torproject.org/legacy/trac/-/issues/31162Web Compatibility should work and override RFP, but investigation is needed2020-06-16T01:05:46ZcypherpunksWeb Compatibility should work and override RFP, but investigation is neededChrome-ish future...
https://www.ghacks.net/2019/07/15/firefox-68-aboutcompat-launches/Chrome-ish future...
https://www.ghacks.net/2019/07/15/firefox-68-aboutcompat-launches/https://gitlab.torproject.org/legacy/trac/-/issues/31142One tab crashed and transformed the other tab to about:newtab with no history!2020-06-16T01:05:42ZcypherpunksOne tab crashed and transformed the other tab to about:newtab with no history!What a mess!What a mess!https://gitlab.torproject.org/legacy/trac/-/issues/31134Reenable Graphite for font rendering2020-06-16T01:05:39ZGeorg KoppenReenable Graphite for font renderingWe disabled using Graphite for font rendering (after trying to reenable it) back in #21726 for security reasons. Things have settled down it seems. Thus, we should reenable it and put it back on the security slider this time.We disabled using Graphite for font rendering (after trying to reenable it) back in #21726 for security reasons. Things have settled down it seems. Thus, we should reenable it and put it back on the security slider this time.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/legacy/trac/-/issues/31120Enable AssertSystemPrincipalMustNotLoadRemoteDocuments2020-06-16T01:05:33ZTom Rittertom@ritter.vgEnable AssertSystemPrincipalMustNotLoadRemoteDocumentsAssertSystemPrincipalMustNotLoadRemoteDocuments is a defense in depth mitigation Tor should ensure is used by default.
This will involve removing some ifdefs and possibly backporting the updates to the function from -central to -esr68AssertSystemPrincipalMustNotLoadRemoteDocuments is a defense in depth mitigation Tor should ensure is used by default.
This will involve removing some ifdefs and possibly backporting the updates to the function from -central to -esr68https://gitlab.torproject.org/legacy/trac/-/issues/31099Backport bugzilla 1561636 for 265142020-06-16T01:05:32ZAlex CatarineuBackport bugzilla 1561636 for 26514We can backport https://hg.mozilla.org/mozilla-central/rev/98a5a4864b88 and drop the patch for #26514.We can backport https://hg.mozilla.org/mozilla-central/rev/98a5a4864b88 and drop the patch for #26514.https://gitlab.torproject.org/legacy/trac/-/issues/31066Consider protection against requests going through catch-all circuit2020-06-16T01:28:28ZAlex CatarineuConsider protection against requests going through catch-all circuitWhile taking a look at upstreaming #26353 to Firefox I was thinking whether it would make sense to have some mitigations to reduce potential anonymity loss if there are requests unintentionally going through the catch-all circuit. We cur...While taking a look at upstreaming #26353 to Firefox I was thinking whether it would make sense to have some mitigations to reduce potential anonymity loss if there are requests unintentionally going through the catch-all circuit. We currently isolate requests by `originAttributes.firstPartyDomain`. If `originAttributes.firstPartyDomain` is empty, then the request goes to the catch-all circuit (socks username `--unknown--`).
I would suggest changing this and proxying with socks username `--unknown--|||firstPartyDomain(request)` instead, where `firstPartyDomain` is calculated as if the request host was the origin. I think this can only improve user anonymity wrt current behaviour, at the cost of potentially worse network performance (more circuits). But I think there should not be many cases were `firstPartyDomain` is empty, and also not so many `--unknown-- + domain` combinations to make this a performance issue. I think it should be seen just as a mitigation for the potential cases in Tor Browser that might not obey first party isolation.
Not sure if this has already been discussed in the past, but I thought it might be interesting to consider.https://gitlab.torproject.org/legacy/trac/-/issues/31019Investigate update on Windows via BITS2020-06-16T01:05:22ZGeorg KoppenInvestigate update on Windows via BITSIt seems there is coming a new update method for Windows users with Firefox 68 ESR which is called BITS (Background Intelligent Transfer Service), which is a Windows component.[1] The marketing promise is that "This change will allow Fir...It seems there is coming a new update method for Windows users with Firefox 68 ESR which is called BITS (Background Intelligent Transfer Service), which is a Windows component.[1] The marketing promise is that "This change will allow Firefox to continue downloading an update
after Firefox has been closed." [2] which seems to be dangerous in the Tor Browser context.
There is a pref we can flip, though to use the older internal updater [3]. However, we should make sure the potential proxy bypass I am seeing here is actually mitigated by that.
[1] https://www.ghacks.net/2019/06/24/firefox-will-use-bits-on-windows-for-updates-going-forward/
[2] https://groups.google.com/forum/#!topic/mozilla.dev.platform/PCzoYCfi_fk
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1553977https://gitlab.torproject.org/legacy/trac/-/issues/31015svg.disabled = 'true' hides the the UI icons in extensions2020-06-16T01:05:20Zcypherpunkssvg.disabled = 'true' hides the the UI icons in extensionsIn "safest" security level `svg.disabled` is set to `true` in Tor Browser. This causes the UI icons in the latest versions of uBblock Origin and uMatrix to disappear.
The author of the extensions declined working on this with a note:
"...In "safest" security level `svg.disabled` is set to `true` in Tor Browser. This causes the UI icons in the latest versions of uBblock Origin and uMatrix to disappear.
The author of the extensions declined working on this with a note:
"I consider this a browser issue, to be reported to Firefox issue tracker. Extensions extend a browser abilities, they should not be subjected to restrictions which are meant to be imposed on web pages."
https://github.com/uBlockOrigin/uBlock-issues/issues/446
However as this is Tor Browser specific, I am reporting it here.