Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:02:47Zhttps://gitlab.torproject.org/legacy/trac/-/issues/30272Gracefully Handle Loss of Connection on Startup2020-06-16T01:02:47ZShane IsbellGracefully Handle Loss of Connection on StartupIf I put in airplane mode, the logs will show that tor keeps trying to connect, saying its stuck at 0%. We should detect if app goes into airplane mode (or does not have a connection). The user-device interaction in this case is still un...If I put in airplane mode, the logs will show that tor keeps trying to connect, saying its stuck at 0%. We should detect if app goes into airplane mode (or does not have a connection). The user-device interaction in this case is still undefined.https://gitlab.torproject.org/legacy/trac/-/issues/30259Improve verify signature flow for Tor Browser2020-06-13T17:28:02ZAntonelaantonela@torproject.orgImprove verify signature flow for Tor BrowserVerifying signature is a painful process for regular and power users. This ticket aims to explore how we can improve it.Verifying signature is a painful process for regular and power users. This ticket aims to explore how we can improve it.Antonelaantonela@torproject.orgAntonelaantonela@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/30104browser onboarding: 8.5 security level image includes English text2020-06-16T01:02:19ZMark Smithbrowser onboarding: 8.5 security level image includes English textThe security level image that is shown on the "updated for Tor Browser 8.5" Security onboarding page includes a screenshot of the Security Level doorhanger that was taken when running in the en-US locale. That means we will show English ...The security level image that is shown on the "updated for Tor Browser 8.5" Security onboarding page includes a screenshot of the Security Level doorhanger that was taken when running in the en-US locale. That means we will show English text for all locales. We should find a different solution in the long run.
This is the image: https://gitweb.torproject.org/tor-browser.git/plain/browser/extensions/onboarding/content/img/figure_tor-security-level.png?h=tor-browser-60.6.1esr-8.5-1https://gitlab.torproject.org/legacy/trac/-/issues/30032Add warning or disable adding additional extensions2020-06-16T01:02:13ZWilliam BudingtonAdd warning or disable adding additional extensionsA few users of the Tor Browser have reached out to the EFF extension developers team wanting help with Privacy Badger. As we've explained in the past[1], installing Privacy Badger within Tor Browser can seriously impede the anonymity gu...A few users of the Tor Browser have reached out to the EFF extension developers team wanting help with Privacy Badger. As we've explained in the past[1], installing Privacy Badger within Tor Browser can seriously impede the anonymity guarantees of TB. Even extensions which under normal circumstances in mainline Firefox would increase privacy can be harmful in the TB context - for instance, canvas hash randomizers can move the browser from the relatively large anonymity pool of "TB users on Linux" to the much smaller pool of "TB users on Linux who have a canvas randomizer", since the fact that your canvas is randomized is able to be determined by any remote site. Users of TB are more likely to be power users and install additional addons as well.
Currently, installing an extension in TB is as easy as doing the same in Firefox. We should either disable the ability to install additional extensions or add a highly eye-catching warning alerting users to the fact that extensions, even ones that are privacy-oriented, can be harmful to anonymity.
1. https://tor.stackexchange.com/questions/15653/why-does-tor-not-pre-include-privacy-badger-or-disconnect-add-onshttps://gitlab.torproject.org/legacy/trac/-/issues/30025Objective 2, Activity 4: Better client-side errors2020-06-16T01:02:12ZPili GuerraObjective 2, Activity 4: Better client-side errorsThis is the parent ticket to hold any tickets under this activity, including:
- Improving Tor Browser behavior when an onion site supports HTTPS but the HTTPS is not from an approved certificate.
- Fixing inconsistent messages we are sho...This is the parent ticket to hold any tickets under this activity, including:
- Improving Tor Browser behavior when an onion site supports HTTPS but the HTTPS is not from an approved certificate.
- Fixing inconsistent messages we are showing to users accessing .onion sites with self-signed certificates-
- Improving Tor Browser’s user experience and error messages when a .onion link fails.
- Providing more informative error messages back to the user to better indicate whether the issue was on the service-side, on the client-side, or on the network-side.https://gitlab.torproject.org/legacy/trac/-/issues/30022Objective 2, Activity 2: Notify users about typo errors when entering .onion ...2020-06-16T01:02:09ZPili GuerraObjective 2, Activity 2: Notify users about typo errors when entering .onion addressesThis is the parent ticket to hold any tickets under this activity, including:
- Using the address format of onion services v3 that allows us to detect typos.
- Experimenting with the optimal user experience for this error case, e.g. off...This is the parent ticket to hold any tickets under this activity, including:
- Using the address format of onion services v3 that allows us to detect typos.
- Experimenting with the optimal user experience for this error case, e.g. offering a retry-button after explaining what went wrong.
- Implementing a special error page that tells the user the problem is a typo in the address.https://gitlab.torproject.org/legacy/trac/-/issues/29997Add a "?" besides setting that could help fingerprinting you if changed2020-06-16T01:02:06ZTracAdd a "?" besides setting that could help fingerprinting you if changedAn interactive GUI "What not to do" guide that explains what should be avoided.
A "(?)" beside a setting should explain what happens if you, for example. Remove all the Search Engines from the list, if that could create a unique fingerp...An interactive GUI "What not to do" guide that explains what should be avoided.
A "(?)" beside a setting should explain what happens if you, for example. Remove all the Search Engines from the list, if that could create a unique fingerprint. Or changing the Default Search Engine.
I recently figured out that the Bookmarks Toolbar was changing my Window Size without me knowing. That I have been using on websites for months. Changing the Bookmarks/History to a popup window would be better maybe? Or simply have the blank page after opening a new tab contain all your bookmarks.
**Trac**:
**Username**: namihttps://gitlab.torproject.org/legacy/trac/-/issues/29973Remove remaining stopOpenSecuritySettingsObserver() pieces2020-06-16T01:02:01ZGeorg KoppenRemove remaining stopOpenSecuritySettingsObserver() pieces`stopOpenSecuritySettingsObserver()` is not needed anymore with the changes in #25658. However, there are some pieces left of it that result in a browser console error. Noted on our blog: https://blog.torproject.org/comment/280343#commen...`stopOpenSecuritySettingsObserver()` is not needed anymore with the changes in #25658. However, there are some pieces left of it that result in a browser console error. Noted on our blog: https://blog.torproject.org/comment/280343#comment-280343https://gitlab.torproject.org/legacy/trac/-/issues/29955Final Orfox update2020-06-16T01:03:56ZMatthew FinkelFinal Orfox updateI'm debating how we should do this. Ideally, we want to migrate all Orfox users to TBA. In this ideal world, I would propose creating a very simple app as a replacement for Orfox where this new app simply says something like "Orfox is no...I'm debating how we should do this. Ideally, we want to migrate all Orfox users to TBA. In this ideal world, I would propose creating a very simple app as a replacement for Orfox where this new app simply says something like "Orfox is now Tor Browser for Android! Please install it from <app store link>". We can detect if the device has the Play store or F-droid installed and give the user one of the links. We can also offer a way to migrate the users bookmarks from Orfox to TBA.
The real world is more complicated than the ideal world. I worry about releasing an update of Orfox that completely replaces its current functionality with a simple-migration-tool. However, realistically, no one should be using Firefox 52esr now, so moving users away from that is important. With that being said, people should have a choice.
One problem is we can't easily release a new version of Orfox (based on 52esr) because Google Play won't accept it due to stricter requirements that went into effect last October. Therefore, we are in a not so great situation with this.https://gitlab.torproject.org/legacy/trac/-/issues/29873TBA 60.6.0 UI breaks proxy compatibility2020-06-16T01:01:49ZTracTBA 60.6.0 UI breaks proxy compatibilityProblem:
TBA 60.6.0 doesn't allow to connect to SOCKS proxy and also doesn't allow bypass of built-in Orbot.
Why it is a problem:
I live in a country that blocks Tor so efficiently that I need comercial VPN services to connect to Tor.
I...Problem:
TBA 60.6.0 doesn't allow to connect to SOCKS proxy and also doesn't allow bypass of built-in Orbot.
Why it is a problem:
I live in a country that blocks Tor so efficiently that I need comercial VPN services to connect to Tor.
I don't trust the apps of those companies with a system wide VPN (which I also still need it for the separate Orbot VPN) and have it expose a SOCKS5 instead.
Before Upgrade:
TBA>separate Orbot SOCKS5>commercial VPN service app SOCKS5>internet
After I start TBA I use my phone's back button to bypass the built-in Orbot. I open about:config and change the SOCKS port to the one from the separate Orbot. Then I browse as normal.
After Upgrade:
The built-in Orbot can not be bypassed. I can also not connect it directly to the commercial app. I can not browse the internet.
**Trac**:
**Username**: aprilhttps://gitlab.torproject.org/legacy/trac/-/issues/29833about:logo still contains Firefox logos2020-06-16T01:01:43ZGeorg Koppenabout:logo still contains Firefox logosWe fixed a lot of Firefox logos by replacing them with their Tor Browser counterparts in #25702. However, `about:logo` still shows a combination of Firefox icon and Firefox related text. We'd want to have a respective Tor Browser logo/ic...We fixed a lot of Firefox logos by replacing them with their Tor Browser counterparts in #25702. However, `about:logo` still shows a combination of Firefox icon and Firefox related text. We'd want to have a respective Tor Browser logo/icon for that one as well. (Discovered while trying to figure out what the purpose of the unmodified icons in the mobile folder is; mobile is affected, too).
The icon in question is located in `browser/branding/$series/content/about.png` for desktop and `mobile/android/branding/$series/content/about.png` for mobile.https://gitlab.torproject.org/legacy/trac/-/issues/29695The captcha displayed while authenticating connecting to a tor bridge is unre...2020-09-02T17:52:43ZTracThe captcha displayed while authenticating connecting to a tor bridge is unreadableSteps:
1. Open "Tor Network Settings"
2. Select "Request a tor bridge from torproject.org"
3. Click on button "Request a new bridge"
The captcha displayed for verification on connecting to tor bridges is not readable. It has letters an...Steps:
1. Open "Tor Network Settings"
2. Select "Request a tor bridge from torproject.org"
3. Click on button "Request a new bridge"
The captcha displayed for verification on connecting to tor bridges is not readable. It has letters and characters merged in such a way that the probability of getting it right is very low(I have had a success rate of 1 out of 10 times).
**Trac**:
**Username**: cskhttps://gitlab.torproject.org/legacy/trac/-/issues/29664Create release notes page at torproject.org2020-06-13T17:27:36ZAntonelaantonela@torproject.orgCreate release notes page at torproject.orgOn #29440 we discussed the possibility to have release notes per each browser release outside the blog. That is useful for different reasons; one of them is having a centralized place to look for these notes.
I'd suggest including this ...On #29440 we discussed the possibility to have release notes per each browser release outside the blog. That is useful for different reasons; one of them is having a centralized place to look for these notes.
I'd suggest including this at
`torproject.org/torbrowser/%version%/releasenotes`
`torproject.org/torbrowserandroid/%version%/releasenotes`
We may want to automate it in many ways, the first iteration could be static as well.HiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/29646NoScript XSS user choices are persisted2020-06-16T01:28:26ZTracNoScript XSS user choices are persistedWhenever user chooses 'Always allow' or 'Always block' in one of the NoScript XSS popups the setting is persisted in `storage-sync.sqlite` file and this is never cleared on browser startup as the rest of NoScript preferences.
The full p...Whenever user chooses 'Always allow' or 'Always block' in one of the NoScript XSS popups the setting is persisted in `storage-sync.sqlite` file and this is never cleared on browser startup as the rest of NoScript preferences.
The full persisted object can be inspected via `about:debugging` -> Debug Noscript -> `browser.storage.sync.get('xssUserChoices')`.
I understand this is not intended behaviour, since NoScript default is to not persist user choices (clearing them up on browser start).
**Trac**:
**Username**: atachttps://gitlab.torproject.org/legacy/trac/-/issues/29590Smarter bootstrapping for Tor Browser taking censorship into account2020-06-16T01:01:15ZGeorg KoppenSmarter bootstrapping for Tor Browser taking censorship into accountRight now we don't offer the user much help when connecting wherever they are with their mobile phone. They get to make the choice to be on the safe side given their current context as to whether they want to connect directly or use a br...Right now we don't offer the user much help when connecting wherever they are with their mobile phone. They get to make the choice to be on the safe side given their current context as to whether they want to connect directly or use a bridge/PT.
However, we might be able to be smarter here and make at least suggestions or allow even some bridge selection behind the scenes helping with a more automated bootstrapping.
The desktop related tickets are #21951 and #24527.
See for a good summary on what the Briar folks do (with further links to tickets on their side): https://lists.torproject.org/pipermail/tor-dev/2019-February/013708.html.https://gitlab.torproject.org/legacy/trac/-/issues/29506<noscript> tag doesn't work when JS is blocked by security slider at Safer2020-06-16T01:01:05ZMicah Lee<noscript> tag doesn't work when JS is blocked by security slider at SaferThe <noscript> HTML tag is supposed to be hidden when JavaScript is enabled, and get displayed when it's disabled. Websites use it to inform users what things are broken without JavaScript.
When the security slider is set to Safest, all...The <noscript> HTML tag is supposed to be hidden when JavaScript is enabled, and get displayed when it's disabled. Websites use it to inform users what things are broken without JavaScript.
When the security slider is set to Safest, all JavaScript is disabled, and the <noscript> tag works like expected. But when it's set to Safer, JavaScript is disabled on non-HTTPS websites (including HTTP .onion sites), but the <noscript> tag doesn't display, but it should.https://gitlab.torproject.org/legacy/trac/-/issues/29440Update about:tor when Tor Browser is updated2020-06-16T01:00:58ZAntonelaantonela@torproject.orgUpdate about:tor when Tor Browser is updatedAs part of #25694, I suggested having "Tor Browser has been updated" as a title in `about:tor` when Tor Browser starts after an update.
The mockup is here
https://trac.torproject.org/projects/tor/attachment/ticket/25694/1.3C.jpg
For us...As part of #25694, I suggested having "Tor Browser has been updated" as a title in `about:tor` when Tor Browser starts after an update.
The mockup is here
https://trac.torproject.org/projects/tor/attachment/ticket/25694/1.3C.jpg
For users interested in view the changelog, we should discuss if an exclusive page for it is the best way to approach it.https://gitlab.torproject.org/legacy/trac/-/issues/29197remove use of overlays from Tor Launcher2020-06-13T17:44:17ZMark Smithremove use of overlays from Tor LauncherXUL overlay support was removed from Firefox beginning with Firefox 63. See https://bugzilla.mozilla.org/show_bug.cgi?id=1449791
Tor Launcher uses an overlay to allow configuration UI elements to be shared between the setup wizard and t...XUL overlay support was removed from Firefox beginning with Firefox 63. See https://bugzilla.mozilla.org/show_bug.cgi?id=1449791
Tor Launcher uses an overlay to allow configuration UI elements to be shared between the setup wizard and the Tor Network Settings dialog. We will need to replace this with a preprocessor #include strategy or just maintain two copies of the XUL.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/29031Tor Browser for Android (Alpha) does not accept Torrc Custom Config lines2022-07-08T19:06:39ZTracTor Browser for Android (Alpha) does not accept Torrc Custom Config linesAs of version 60.4.0, users of Tor Browser for Android (Alpha) can no longer use a custom Torrc. This is related to the fact that Tor Browser for Android (Alpha) no longer depends upon Orbot, which as of version 16.0.5-RC-2-tor-0.3.4.9 ...As of version 60.4.0, users of Tor Browser for Android (Alpha) can no longer use a custom Torrc. This is related to the fact that Tor Browser for Android (Alpha) no longer depends upon Orbot, which as of version 16.0.5-RC-2-tor-0.3.4.9 continues to support this feature faithfully.
Tor Browser for Android (Alpha) has a new startup screen that resembles Orbot. On this screen, there is a "hamburger" menu in the top right corner that has a dropdown menu containing an option "Settings" which, just like Orbot, contains an option called "Torrc Custom Config". However, unlike Orbot, lines entered herein are not copied to `app_bin/torrc.custom` and (presumably thus) have no effect.
**TO REPLICATE**
1. Install both Orbot 16.0.5-RC-2-tor-0.3.4.9 and Tor Browser for Android (Alpha) 60.4.0 side by side.
2. Start Orbot; from the hamburger menu choose Settings; then choose Torrc Custom Config. Enter some valid line (such as `ControlPort 9051`)).
3. Open a terminal on your android device and run:
```
# cat /data/data/org.torproject.android/app_bin/torrc.custom
```
4. Verify that your custom line appeared successfully.
5. Now start Tor Browser for Android (Alpha); from the hamburger menu choose Settings; then choose Torrc Custom Config. Enter some valid line (such as `ControlPort 9151`)).
6. Open a terminal on your android device and run:
```
# cat /data/data/org.torproject.torbrowser_alpha/app_bin/torrc.custom
```
7. Verify that your custom line did **NOT** appear.
**Trac**:
**Username**: cypherpunks8https://gitlab.torproject.org/legacy/trac/-/issues/28885notify users that update is downloading2020-06-16T00:59:43ZMark Smithnotify users that update is downloadingAn important improvement that was discussed in #25694 is to let users know when an update is in the process of being downloaded. Firefox does not show this information in an obvious way; users need to open about:preferences and look in t...An important improvement that was discussed in #25694 is to let users know when an update is in the process of being downloaded. Firefox does not show this information in an obvious way; users need to open about:preferences and look in the Updates section or open the about box. Tor Browser users are sometimes confused because they know an update is available but have no easy way to know if it is being downloaded, and downloading the MAR files can take a while over Tor.
We plan to add a new "Downloading Tor Browser update..." message that will be displayed in the hamburger menu. We will also ensure that the standard "update" icon is displayed on the hamburger menu toolbar icon so users know to look inside for more info.