Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T00:46:26Zhttps://gitlab.torproject.org/legacy/trac/-/issues/8725resource:// URIs leak information2020-06-16T00:46:26ZTracresource:// URIs leak informationHere's a bug in Firefox that may be able to identify users of Tor Browser Bundle:
!https://bugzilla.mozilla.org/show_bug.cgi?id=863246
**Trac**:
**Username**: holizzHere's a bug in Firefox that may be able to identify users of Tor Browser Bundle:
!https://bugzilla.mozilla.org/show_bug.cgi?id=863246
**Trac**:
**Username**: holizzhttps://gitlab.torproject.org/legacy/trac/-/issues/8558Re-verify app-launching defenses on Windows2020-06-13T17:40:17ZMike PerryRe-verify app-launching defenses on WindowsRsnake claims that some stuff he did 3 years ago still works on TBB. We certainly fixed the two vectors he mentioned (itms and smb) with Torbutton, but it is possible that one or more random things have been broken/undone by FF17. We sho...Rsnake claims that some stuff he did 3 years ago still works on TBB. We certainly fixed the two vectors he mentioned (itms and smb) with Torbutton, but it is possible that one or more random things have been broken/undone by FF17. We should retest as many of them as we can, especially on Windows. Especially since Rsnake seems insistent on being as unhelpful as possible :/. Gotta love timewasters....
Most decloaking attacks are based on plugins, which are disabled by a Firefox patch and also by Firefox settings, but the following two decloak.net attacks should be retested:
1. "When the iTunes is installed, it registers the itms:// protocol handler. This protocol handler will open iTunes and do a direct connection to the specified URL. There are some restrictions on the URL you can pass, but we found a nice way around them :-)"
2. "When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user."
Unfortunately, decloak.net is now down, so the exact itms url it used is unavailable (unless the source is still around somewhere).
Also, this test should be verified on Windows:
http://pseudo-flaw.net/tor/torbutton/ipleak-dotnet-assistant.html
I think the .NET assistant addon might need to be explicitly installed these days. It used to auto-install with some piece of .NET but then Mozilla blacklisted it. They may have removed the blacklist, though...
Also, we should try some SMB urls on windows. Native Firefox SMB handling appears to be unimplemented still, but it may be possible to shove something in the registry that enables an external handler:
http://kb.mozillazine.org/Register_protocol#Windows
http://msdn.microsoft.com/en-us/library/aa767914.aspx
Such external handlers *should* still be blocked by Torbutton, though. They certainly are on MacOS and Linux...https://gitlab.torproject.org/legacy/trac/-/issues/8511Firefox caches proxy settings per hosts2020-06-15T23:26:10ZMike PerryFirefox caches proxy settings per hostsIt turns out Firefox now caches proxy settings per host.
This causes us problems when people reconfigure their proxy settings, and also during startup when we change our proxy settings based on the environment variables from Vidalia. T...It turns out Firefox now caches proxy settings per host.
This causes us problems when people reconfigure their proxy settings, and also during startup when we change our proxy settings based on the environment variables from Vidalia. This change in proxy settings sometimes happens after the browser has already attempted to connect to check.torproject.org for the HTTPS-Everywhere Tor test, which then causes check.torproject.org to forever use the old proxy settings.https://gitlab.torproject.org/legacy/trac/-/issues/8478Tor Browser Bundle on OS X 10.6 does not set resolution to a multiple of 200x1002020-06-15T23:16:08ZcypherpunksTor Browser Bundle on OS X 10.6 does not set resolution to a multiple of 200x100Panopticlick and http://browserspy.dk/screen.php report a width of 1000 pixels and height of 571 pixels.
This behavior is observed immediately after unzipping TorBrowser into a clean directory and launching it.
Mac OS X 10.6.8, TorBrow...Panopticlick and http://browserspy.dk/screen.php report a width of 1000 pixels and height of 571 pixels.
This behavior is observed immediately after unzipping TorBrowser into a clean directory and launching it.
Mac OS X 10.6.8, TorBrowser-2.3.25-5-osx-x86_64-en-US.zipMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8470Request randomization a lot less random in FF172013-04-25T00:25:55ZMike PerryRequest randomization a lot less random in FF17I decided to take a closer look at the actual request ordering in our Firefox builds, and it appears a lot less random than when I first tested the pipeline randomization patch.
This could be due to a regression before FF10, since the l...I decided to take a closer look at the actual request ordering in our Firefox builds, and it appears a lot less random than when I first tested the pipeline randomization patch.
This could be due to a regression before FF10, since the last time I tested it was ~FF7/8, but most likely it was introduced between 10 and 17, when I rewrote the patch completely.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8457Session Restore Broken2014-01-24T04:01:11ZTracSession Restore BrokenI just upgraded to the tor-browser-2.3.25-4_en-US
In Tor Button 1.4.x, when you set to Security->History, and unchecked the "Block History options", then Session restore would work as expected.
In the new Tor Button 1.5 interface, the...I just upgraded to the tor-browser-2.3.25-4_en-US
In Tor Button 1.4.x, when you set to Security->History, and unchecked the "Block History options", then Session restore would work as expected.
In the new Tor Button 1.5 interface, there is:
* Don't record browsing history or website data (enables Private Browsing Mode)
If you unchecked "Don't record browsing history", you think this would enable the history AND the session restore. It does not.
So in the new tor bundle, when I now set Options->General->"Show my windows and tabs from last time". Nothing Happens. All modern browsers have a session restore. Eliminating this feature makes the tor bundle unusable for me as a daily browser.
Please fix this, so the tor bundle can be used as a functional daily browser again. I'm sure there are many users like me in Iran and China that use tor daily to get around repressive government firewalls. Many of us are not paranoid about possible privacy issues that enabling the session restore may create.
**Trac**:
**Username**: moonchildMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8455Limit @font-face font local() fonts and disable local fallback rendering2020-06-15T23:15:40ZMike PerryLimit @font-face font local() fonts and disable local fallback renderingGk pointed out in https://trac.torproject.org/projects/tor/ticket/5273#comment:42 that the initial display font before the WebFont is loaded is the "best fallback CSS font on the user's computer" (from https://developer.mozilla.org/en-US...Gk pointed out in https://trac.torproject.org/projects/tor/ticket/5273#comment:42 that the initial display font before the WebFont is loaded is the "best fallback CSS font on the user's computer" (from https://developer.mozilla.org/en-US/docs/CSS/@font-face).
My guess was that the chosen font will be the default system font for the specified style if we don't have that font family, but what if the WebFont has the same name as a font that is on the system? Do we exempt it and allow text to be rendered with that local font briefly? Or does Firefox decide not to download the WebFont in the first place, such that that rule will count as a font probe?Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8423TBB always clears cookies at shutdown2013-03-14T21:08:23ZMike PerryTBB always clears cookies at shutdownI just found some old cruft code that causes us to always clear our cookies, regardless of your disk prefs.I just found some old cruft code that causes us to always clear our cookies, regardless of your disk prefs.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8422DOM localStorage not cleared on New Identity2013-03-14T21:08:31ZMike PerryDOM localStorage not cleared on New Identityhttp://www.stevesouders.com/blog/2012/09/10/clearing-browser-data/ reveals that despite the documentation on MDC (https://developer.mozilla.org/en/DOM/Storage#Storage_location_and_clearing_the_data), window.localStorage is NOT cleared by...http://www.stevesouders.com/blog/2012/09/10/clearing-browser-data/ reveals that despite the documentation on MDC (https://developer.mozilla.org/en/DOM/Storage#Storage_location_and_clearing_the_data), window.localStorage is NOT cleared by the "cookie-changed" observer event. We need to clear it explicitly. Isn't that cute. Another evercookie vector.
Since we enabled DOM storage for FF17, this is a regression, and a pretty bad one at that.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8400Torbutton's browsing history pref seems to require restart2020-06-15T23:15:27ZMike PerryTorbutton's browsing history pref seems to require restartThis is probably because we now rely on the browser.privatebrowsing.autostart, which I guess doesn't actually change the private browsing state itself. We probably need to emit the private browsing change notification event, or otherwise...This is probably because we now rely on the browser.privatebrowsing.autostart, which I guess doesn't actually change the private browsing state itself. We probably need to emit the private browsing change notification event, or otherwise request changing the private browsing state the official way.https://gitlab.torproject.org/legacy/trac/-/issues/8382IndexedDB and Offline Cache can get enabled, but New Identity doesn't clear them2013-03-14T21:08:27ZMike PerryIndexedDB and Offline Cache can get enabled, but New Identity doesn't clear themIn #3100, I made IndexedDB and the Offline Cache tied to the TBB disk pref. If you allow disk access, they're on. However, New Identity doesn't currently clear them.
The user is at least prompted before these caches are used, even if th...In #3100, I made IndexedDB and the Offline Cache tied to the TBB disk pref. If you allow disk access, they're on. However, New Identity doesn't currently clear them.
The user is at least prompted before these caches are used, even if they are enabled, but we still should probably clear them on New Identity...Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8352TBB with Firefox 17 ESR is exhibiting slow, clunky UI performance2020-06-15T23:15:26ZcypherpunksTBB with Firefox 17 ESR is exhibiting slow, clunky UI performanceTBB with Firefox 17 ESR is exhibiting slow and clunky UI performance. The previous TBB with Firefox 10.xx was not this sluggish.
It is noticeable especially when opening multiple tabs, closing tabs, opening preferences, dragging tabs ...TBB with Firefox 17 ESR is exhibiting slow and clunky UI performance. The previous TBB with Firefox 10.xx was not this sluggish.
It is noticeable especially when opening multiple tabs, closing tabs, opening preferences, dragging tabs etc. i.e. general UI performance.
Hardware specifications that this behavior was tested on:
Debian 6.0.7 (squeeze)
32-bit
Intel CPU Core 2 Duo 2.1 Ghzx2
2 GB RAM
TBB version: tor-browser-gnu-linux-i686-2.3.25-4-dev-en-UShttps://gitlab.torproject.org/legacy/trac/-/issues/8350Tor Browser can be launched independently from Vidalia with FF172020-06-15T23:15:25ZMike PerryTor Browser can be launched independently from Vidalia with FF17Our pref changes from #3944 allow Tor Browser to get launched directly now. The original ticket to solve this was #4192. We're going to need to solve it differently now.Our pref changes from #3944 allow Tor Browser to get launched directly now. The original ticket to solve this was #4192. We're going to need to solve it differently now.https://gitlab.torproject.org/legacy/trac/-/issues/8336TOR_SOCKS_HOST, TOR_SOCKS_PORT regression2020-06-15T23:15:22ZproperTOR_SOCKS_HOST, TOR_SOCKS_PORT regressionTBB 2.3.25-2 not affected.
TBB 2.3.25-3 not tested (not available for download).
TBB 2.3.25-4 introduced this bug.
I am using /etc/environment on Debian Wheezy.
```
TOR_SOCKS_HOST="192.168.0.10"
TOR_SOCKS_PORT="9100"
```
,,(I am using...TBB 2.3.25-2 not affected.
TBB 2.3.25-3 not tested (not available for download).
TBB 2.3.25-4 introduced this bug.
I am using /etc/environment on Debian Wheezy.
```
TOR_SOCKS_HOST="192.168.0.10"
TOR_SOCKS_PORT="9100"
```
,,(I am using a patched startup script, which starts "./App/Firefox/firefox --profile Data/profile" instead of "./App/vidalia --datadir Data/Vidalia/ -style Cleanlooks".)
When Tor Browser starts, it automatically opens https://check.torproject.org/?lang=en-US&small=1&uptodate=1 as expected but says:
```
The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections.
Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is
working.
```
All other pages are working.
https://check.torproject.org/ can not be reached until Tor Browser is restarted. Before the browser gets restarted it always says "The proxy server is refusing connections" even when trying to reload or in new tabs.
After Tor Browser has been restarted, everything works.https://gitlab.torproject.org/legacy/trac/-/issues/8335Torbutton 1.5 Causing Repeated HTTP Auth Prompts for Every Page2013-03-14T21:10:49ZTracTorbutton 1.5 Causing Repeated HTTP Auth Prompts for Every PageTor Browser Bundle (2.3.25-4) includes Torbutton 1.5 which appears to invalidate HTTP authentication after each page is loaded when the http authentication is on the root directory of the website.
This message appears in the Error Conso...Tor Browser Bundle (2.3.25-4) includes Torbutton 1.5 which appears to invalidate HTTP authentication after each page is loaded when the http authentication is on the root directory of the website.
This message appears in the Error Console after entering the authentication information into the HTTP auth prompt:
Torbutton NOTE: Removing 3rd party HTTP auth for url: [scrubbed]
The result is that the user must enter the HTTP authentication information for each page on the website.
There was no issue in prior releases of the Tor Browser Bundle.
The expected behavior is that the browser should store the http authentication credentials until Active Logins are clear or a New Identity is selected.
**Trac**:
**Username**: tas142TorBrowserBundle 2.3.x-stableMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8324Tor Browser 2.3.25-4 crashes with Drag and Drop on Windows2022-12-13T08:31:15ZcypherpunksTor Browser 2.3.25-4 crashes with Drag and Drop on WindowsIn the past 24 hours my browser crashed like 30-40 times. This wasn't the case with the previous versions.
Heavy webpages and loading too many tabs of them was always freezing my browser but I don't think that they were crashing it. Sin...In the past 24 hours my browser crashed like 30-40 times. This wasn't the case with the previous versions.
Heavy webpages and loading too many tabs of them was always freezing my browser but I don't think that they were crashing it. Since 2.3.25-4 it brings my browser closer to crashing but that's not the only cause. For example, when I drag & drop a html or txt file to Tor Browser it mostly crashes. And I use the middle click scrolling too much and that's another trigger for crashing.
My OS: Windows 7 64 bitMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8312Remove "This Plugin is Disabled" click-through2020-06-15T23:36:31ZproperRemove "This Plugin is Disabled" click-throughI try a newbie user perspective...
> I just want to see that video. Let's go to that video site.
> Ok. Hmm. I see...
>> "The plugin is disabled.*
>> Manage plugins..."
> Click!
> Flash... Enable...
> Doesn't work. Let's try another page...I try a newbie user perspective...
> I just want to see that video. Let's go to that video site.
> Ok. Hmm. I see...
>> "The plugin is disabled.*
>> Manage plugins..."
> Click!
> Flash... Enable...
> Doesn't work. Let's try another page. It says...
>> "Click here to activate unknown plugin."
> Click!
And boom. The user shoot it's own feet.
The option "Tor Button -> Preferences -> Security Settings -> Disable Browser Plugins (such as Flash)" is checked.
I think this is a regression. If that Tor Button setting is set, plugins shouldn't get activated, unless that option gets unchecked.
Version: Tor Browser Bundle (2.3.25-4)Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8302Various aspects of Tor Browser branding broken for some builds2013-03-14T20:57:43ZMike PerryVarious aspects of Tor Browser branding broken for some buildsNon-English builds of Tor Browser still say "Mozilla Firefox" on their titlebar and on certain other UI elements. Thankfully on MacOS, the dock icon is still ours, and the menu bar still says "TorBrowser", as does Command-Tab and the Doc...Non-English builds of Tor Browser still say "Mozilla Firefox" on their titlebar and on certain other UI elements. Thankfully on MacOS, the dock icon is still ours, and the menu bar still says "TorBrowser", as does Command-Tab and the Dock tooltip text.
At a wild guess, my bet is that they moved the titlebar string and probably some other stuff into property files in their langpack XPIs. We probably need another Makefile hack to replace them.
The right way to fix this is #8219, but I think a Makefile hack might be more expedient at this point? Especially since #8219 might conflict with Tails' branding extension.Erinn ClarkErinn Clarkhttps://gitlab.torproject.org/legacy/trac/-/issues/8156Tweetdeck's Web interface can't post tweets in TBB on Linux2020-06-15T23:15:16ZcypherpunksTweetdeck's Web interface can't post tweets in TBB on LinuxTweetdeck's Web interface (https://web.tweetdeck.com) doesn't work on the Tor Browser Bundle (Error: unable to initialize UI.) This is most likely due to the fact that there is no local storage in TBB. I've notified a Tweetdeck develop...Tweetdeck's Web interface (https://web.tweetdeck.com) doesn't work on the Tor Browser Bundle (Error: unable to initialize UI.) This is most likely due to the fact that there is no local storage in TBB. I've notified a Tweetdeck developer and he said they'll fix it soon. Will update when it is fixed.Erinn ClarkErinn Clarkhttps://gitlab.torproject.org/legacy/trac/-/issues/6202Rewrite E4X cooke storing+parsing code2020-06-13T02:03:27ZMike PerryRewrite E4X cooke storing+parsing codeFirefox 15 deprecates support for E4X, which we use in Torbutton to read and write protected cookies and maybe for some other stuff too. We need to rewrite that code to use xpath, JXON, or DOM manipulations.
HTTPS-Everywhere chose DOM m...Firefox 15 deprecates support for E4X, which we use in Torbutton to read and write protected cookies and maybe for some other stuff too. We need to rewrite that code to use xpath, JXON, or DOM manipulations.
HTTPS-Everywhere chose DOM manipulations. See #5893.Mike PerryMike Perry