Richard Pospesel authored Jan 18, 2018 and Georg Koppen committed Feb 21, 2018

After much debugging and investigation, it seems that the required
information needed to drive the first-party domain cannot be accessed in
the XmlHttpRequest creation path.  The JS context the part of pdf.js making
the range requests runs with does not have a reference to parent window and
associated LoadInfo information (which includes the requesting first-party
domain).

To fix the issue, we can easily disable support for range-based requests
via the pdfjs.disableRange property.  However, the side-effect here is
that pages can not be read as they load; the entire pdf must be
downloaded before it can be read and interacted with.

This patch updates each platforms extension-overrides.js to change this
pref.

We need to whitelist `[System+Principal]` for functioning settings
frames of WebExtensions on the about:addons page. On higher security
slider levels this is broken otherwise.

To quote Giorgio Maone (see: #25000 comment:14):

"The Tor Browser enforces permissions cascading, and in the Add-ons
Options window the top frame is about:addons, whose principal's origin
is [System+Principal]. Since this origin is omitted from Tor Browser's
version of NoScript mandatory whitelist, the top site by default is
considered forbidden, cascading down script blocking to the
WebExtension's subframe."

Kathleen Brade authored Feb 15, 2018 and boklm committed Feb 16, 2018

Tor Launcher's Moat client implementation uses Mozilla's Subprocess.jsm
module to start the meek client, and that module requires a complete
file path including the .exe suffix. For consistency, we now include
the .exe suffix everywhere.

Add a tbb_version.json file containing informations about the installed
bundle.

This fixes the download of the osx64 mar files. Previously we were
unsigning the downloaded mar files and checking them with
sha256sums-unsigned-build.txt. The signed osx64 mar files include files
that are code-signed, so unsigning the mar file is not enough to get a
mar file matching sha256sums-unsigned-build.txt.

Patch provided by kkuehl, thanks

Use tor-browser -2 and build number bump

Changelog update and versions bump

The defaut timestamp value will use the commit time of the selected
commit for the project, which will require cloning the git repository if
it is not present. When we use the no_build_id target to display a script,
we usually don't care about such details, so we set timestamp to 0 to
avoid unnecessary cloning.