.eslintignore

@@ -268,3 +268,5 @@ browser/extensions/translations/extension/
 # "scaffolding" used by uniffi which isn't valid JS in its original form.
 toolkit/components/uniffi-bindgen-gecko-js/src/templates/js/
 toolkit/components/uniffi-bindgen-gecko-js/components/generated/*
+
+browser/app/profile/001-base-profile.js

.gitlab/issue_templates/bug.md

+<!--
+* Use this issue template for reporting a new bug.
+-->
+
+### Summary
+**Summarize the bug encountered concisely.**
+
+
+### Steps to reproduce:
+**How one can reproduce the issue - this is very important.**
+
+1. Step 1
+2. Step 2
+3. ...
+
+### What is the current bug behavior?
+**What actually happens.**
+
+
+### What is the expected behavior?
+**What you want to see instead**
+
+
+
+### Environment
+**Which operating system are you using? For example: Debian GNU/Linux 10.1, Windows 10, Ubuntu Xenial, FreeBSD 12.2, etc.**
+**Which installation method did you use? Distribution package (apt, pkg, homebrew), from source tarball, from Git, etc.**
+
+### Relevant logs and/or screenshots
+
+
+/label ~bug

.gitlab/merge_request_templates/default.md

+## Merge Info
+
+<!-- Bookkeeping information for release management -->
+
+### Related Issues
+- tor-browser#xxxxx
+- mullvad-browser#xxxxx
+- tor-browser-build#xxxxx
+
+### Backporting
+
+#### Timeline
+- [ ] **Immediate**: patchset needed as soon as possible
+- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport
+- [ ] **Eventually**: patchset that needs to be verified in alpha before backport
+- [ ] **No Backport (preferred)**: patchset for the next major stable
+
+#### (Optional) Justification
+- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc
+- [ ] **Censorship event**: patchset enables censorship circumvention
+- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality
+- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
+- [ ] **Sponsor required**: patchset required for sponsor
+- [ ] **Localization**: typos and other localization changes that should be also in the release branch
+- [ ] **Other**: please explain
+
+### Merging
+- [ ] Merge to `tor-browser` - `!fixups` to `tor-browser`-specific commits, new features, security backports
+- [ ] Merge to `base-browser` - `!fixups` to `base-browser`-specific commits, new features to be shared with `mullvad-browser`, and security backports
+  - **NOTE**: if your changeset includes patches to both `base-browser` and `tor-browser` please clearly label in the change description which commits should be cherry-picked to `base-browser` after merging
+
+### Issue Tracking
+- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
+
+### Review
+
+#### Request Reviewer
+
+- [ ] Request review from an applications developer depending on modified system:
+  - **NOTE**: if the MR modifies multiple areas, please `/cc` all the relevant reviewers (since gitlab only allows 1 reviewer)
+  - **accessibility** : henry
+  - **android** : clairehurst, dan
+  - **build system** : boklm
+  - **extensions** : ma1
+  - **firefox internals (XUL/JS/XPCOM)** : ma1
+  - **fonts** : pierov
+  - **frontend (implementation)** : henry
+  - **frontend (review)** : donuts, richard
+  - **localization** : henry, pierov
+  - **macos** : clairehurst, dan
+  - **nightly builds** : boklm
+  - **rebases/release-prep** : dan, ma1, pierov, richard
+  - **security** : ma1
+  - **signing** : boklm, richard
+  - **updater** : pierov
+  - **misc/other** : pierov, richard
+
+#### Change Description
+
+<!-- Whatever context the reviewer needs to effectively review the patchset; if the patch includes UX updates be sure to include screenshots/video of how any new behaviour -->
+
+#### How Tested
+
+<!-- Description of steps taken to verify the change -->

accessible/android/SessionAccessibility.cpp

@@ -269,12 +269,9 @@ RefPtr<SessionAccessibility> SessionAccessibility::GetInstanceFor(
       return GetInstanceFor(doc->GetPresShell());
     }
   } else {
-    DocAccessibleParent* remoteDoc = aAccessible->AsRemote()->Document();
-    if (remoteDoc->mSessionAccessibility) {
-      return remoteDoc->mSessionAccessibility;
-    }
     dom::CanonicalBrowsingContext* cbc =
-        static_cast<dom::BrowserParent*>(remoteDoc->Manager())
+        static_cast<dom::BrowserParent*>(
+            aAccessible->AsRemote()->Document()->Manager())
             ->GetBrowsingContext()
             ->Top();
     dom::BrowserParent* bp = cbc->GetBrowserParent();
@@ -285,10 +282,7 @@ RefPtr<SessionAccessibility> SessionAccessibility::GetInstanceFor(
     if (auto element = bp->GetOwnerElement()) {
       if (auto doc = element->OwnerDoc()) {
         if (nsPresContext* presContext = doc->GetPresContext()) {
-          RefPtr<SessionAccessibility> sessionAcc =
-              GetInstanceFor(presContext->PresShell());
-          remoteDoc->mSessionAccessibility = sessionAcc;
-          return sessionAcc;
+          return GetInstanceFor(presContext->PresShell());
         }
       } else {
         MOZ_ASSERT_UNREACHABLE(
@@ -684,14 +678,7 @@ void SessionAccessibility::PopulateNodeInfo(
 }
 
 Accessible* SessionAccessibility::GetAccessibleByID(int32_t aID) const {
-  Accessible* accessible = mIDToAccessibleMap.Get(aID);
-  if (accessible && accessible->IsLocal() &&
-      accessible->AsLocal()->IsDefunct()) {
-    MOZ_ASSERT_UNREACHABLE("Registered accessible is defunct!");
-    return nullptr;
-  }
-
-  return accessible;
+  return mIDToAccessibleMap.Get(aID);
 }
 
 #ifdef DEBUG
@@ -705,6 +692,58 @@ static bool IsDetachedDoc(Accessible* aAccessible) {
 }
 #endif
 
+SessionAccessibility::IDMappingEntry::IDMappingEntry(Accessible* aAccessible)
+    : mInternalID(0) {
+  *this = aAccessible;
+}
+
+SessionAccessibility::IDMappingEntry&
+SessionAccessibility::IDMappingEntry::operator=(Accessible* aAccessible) {
+  mInternalID = aAccessible->ID();
+  MOZ_ASSERT(!(mInternalID & IS_REMOTE), "First bit is used in accessible ID!");
+  if (aAccessible->IsRemote()) {
+    mInternalID |= IS_REMOTE;
+  }
+
+  Accessible* docAcc = nsAccUtils::DocumentFor(aAccessible);
+  MOZ_ASSERT(docAcc);
+  if (docAcc) {
+    MOZ_ASSERT(docAcc->IsRemote() == aAccessible->IsRemote());
+    if (docAcc->IsRemote()) {
+      mDoc = docAcc->AsRemote()->AsDoc();
+    } else {
+      mDoc = docAcc->AsLocal();
+    }
+  }
+
+  return *this;
+}
+
+SessionAccessibility::IDMappingEntry::operator Accessible*() const {
+  if (mInternalID == 0) {
+    return static_cast<LocalAccessible*>(mDoc.get());
+  }
+
+  if (mInternalID == IS_REMOTE) {
+    return static_cast<DocAccessibleParent*>(mDoc.get());
+  }
+
+  if (mInternalID & IS_REMOTE) {
+    return static_cast<DocAccessibleParent*>(mDoc.get())
+        ->GetAccessible(mInternalID & ~IS_REMOTE);
+  }
+
+  Accessible* accessible =
+      static_cast<LocalAccessible*>(mDoc.get())
+          ->AsDoc()
+          ->GetAccessibleByUniqueID(reinterpret_cast<void*>(mInternalID));
+  // If the accessible is retrievable from the DocAccessible, it can't be
+  // defunct.
+  MOZ_ASSERT(!accessible->AsLocal()->IsDefunct());
+
+  return accessible;
+}
+
 void SessionAccessibility::RegisterAccessible(Accessible* aAccessible) {
   if (IPCAccessibilityActive()) {
     // Don't register accessible in content process.
@@ -766,7 +805,6 @@ void SessionAccessibility::UnregisterAccessible(Accessible* aAccessible) {
   }
 
   RefPtr<SessionAccessibility> sessionAcc = GetInstanceFor(aAccessible);
-  MOZ_ASSERT(sessionAcc, "Need SessionAccessibility to unregister Accessible!");
   if (sessionAcc) {
     Accessible* registeredAcc =
         sessionAcc->mIDToAccessibleMap.Get(virtualViewID);

accessible/android/SessionAccessibility.h

@@ -110,10 +110,34 @@ class SessionAccessibility final
   jni::NativeWeakPtr<widget::GeckoViewSupport> mWindow;  // Parent only
   java::SessionAccessibility::NativeProvider::GlobalRef mSessionAccessibility;
 
+  class IDMappingEntry {
+   public:
+    explicit IDMappingEntry(Accessible* aAccessible);
+
+    IDMappingEntry& operator=(Accessible* aAccessible);
+
+    operator Accessible*() const;
+
+   private:
+    // A strong reference to a DocAccessible or DocAccessibleParent. They don't
+    // share any useful base class except nsISupports, so we use that.
+    // When we retrieve the document from this reference we cast it to
+    // LocalAccessible in the DocAccessible case because DocAccessible has
+    // multiple inheritance paths for nsISupports.
+    RefPtr<nsISupports> mDoc;
+    // The ID of the accessible as used in the internal doc mapping.
+    // We rely on this ID being pointer derived and therefore divisible by two
+    // so we can use the first bit to mark if it is remote or not.
+    uint64_t mInternalID;
+
+    static const uintptr_t IS_REMOTE = 0x1;
+  };
+
   /*
    * This provides a mapping from 32 bit id to accessible objects.
    */
-  nsTHashMap<nsUint32HashKey, Accessible*> mIDToAccessibleMap;
+  nsBaseHashtable<nsUint32HashKey, IDMappingEntry, Accessible*>
+      mIDToAccessibleMap;
 };
 
 }  // namespace a11y

accessible/ipc/DocAccessibleParent.cpp

@@ -29,7 +29,6 @@
 #endif
 
 #if defined(ANDROID)
-#  include "mozilla/a11y/SessionAccessibility.h"
 #  define ACQUIRE_ANDROID_LOCK \
     MonitorAutoLock mal(nsAccessibilityService::GetAndroidMonitor());
 #else

accessible/ipc/DocAccessibleParent.h

@@ -29,10 +29,6 @@ class xpcAccessibleGeneric;
 class DocAccessiblePlatformExtParent;
 #endif
 
-#ifdef ANDROID
-class SessionAccessibility;
-#endif
-
 /*
  * These objects live in the main process and comunicate with and represent
  * an accessible document in a content process.
@@ -349,10 +345,6 @@ class DocAccessibleParent : public RemoteAccessible,
 
   size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) override;
 
-#ifdef ANDROID
-  RefPtr<SessionAccessibility> mSessionAccessibility;
-#endif
-
  private:
   ~DocAccessibleParent();
 

accessible/ipc/moz.build

@@ -24,11 +24,6 @@ else:
         LOCAL_INCLUDES += [
             "/accessible/mac",
         ]
-    elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "android":
-        LOCAL_INCLUDES += [
-            "/accessible/android",
-            "/widget/android",
-        ]
     else:
         LOCAL_INCLUDES += [
             "/accessible/other",

browser/actors/RFPHelperChild.sys.mjs

-/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
-
-const kPrefLetterboxing = "privacy.resistFingerprinting.letterboxing";
-
-const lazy = {};
-
-XPCOMUtils.defineLazyPreferenceGetter(
-  lazy,
-  "isLetterboxingEnabled",
-  kPrefLetterboxing,
-  false
-);
-
-export class RFPHelperChild extends JSWindowActorChild {
-  handleEvent(event) {
-    if (lazy.isLetterboxingEnabled && event.type == "resize") {
-      this.sendAsyncMessage("Letterboxing:ContentSizeUpdated");
-    }
-  }
-}

browser/actors/RFPHelperParent.sys.mjs

-1; /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
-
-const lazy = {};
-ChromeUtils.defineESModuleGetters(lazy, {
-  RFPHelper: "resource://gre/modules/RFPHelper.sys.mjs",
-});
-
-const kPrefLetterboxing = "privacy.resistFingerprinting.letterboxing";
-
-XPCOMUtils.defineLazyPreferenceGetter(
-  lazy,
-  "isLetterboxingEnabled",
-  kPrefLetterboxing,
-  false
-);
-
-export class RFPHelperParent extends JSWindowActorParent {
-  receiveMessage(aMessage) {
-    if (
-      lazy.isLetterboxingEnabled &&
-      aMessage.name == "Letterboxing:ContentSizeUpdated"
-    ) {
-      let browser = this.browsingContext.top.embedderElement;
-      let window = browser.ownerGlobal;
-      lazy.RFPHelper.contentSizeUpdated(window);
-    }
-  }
-}

browser/actors/moz.build

@@ -77,8 +77,6 @@ FINAL_TARGET_FILES.actors += [
     "PromptParent.sys.mjs",
     "RefreshBlockerChild.sys.mjs",
     "RefreshBlockerParent.sys.mjs",
-    "RFPHelperChild.sys.mjs",
-    "RFPHelperParent.sys.mjs",
     "ScreenshotsComponentChild.sys.mjs",
     "SearchSERPTelemetryChild.sys.mjs",
     "SearchSERPTelemetryParent.sys.mjs",

browser/app/Makefile.in

@@ -97,10 +97,12 @@ tools repackage:: $(DIST)/bin/$(MOZ_APP_NAME) $(objdir)/macbuild/Contents/MacOS-
 	rsync -aL $(DIST)/bin/$(MOZ_APP_NAME) '$(dist_dest)/Contents/MacOS'
 	cp -RL $(topsrcdir)/$(MOZ_BRANDING_DIRECTORY)/firefox.icns '$(dist_dest)/Contents/Resources/firefox.icns'
 	cp -RL $(topsrcdir)/$(MOZ_BRANDING_DIRECTORY)/document.icns '$(dist_dest)/Contents/Resources/document.icns'
+ifndef BASE_BROWSER_UPDATE
 	$(MKDIR) -p '$(dist_dest)/Contents/Library/LaunchServices'
 ifdef MOZ_UPDATER
 	mv -f '$(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater' '$(dist_dest)/Contents/Library/LaunchServices'
 	ln -s ../../../../Library/LaunchServices/org.mozilla.updater '$(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater'
+endif
 endif
 	printf APPLMOZB > '$(dist_dest)/Contents/PkgInfo'
 endif

browser/app/macbuild/Contents/MacOS-files.in

@@ -17,7 +17,6 @@
 #if defined(MOZ_CRASHREPORTER)
 /minidump-analyzer
 #endif
-/pingsender
 /pk12util
 /ssltunnel
 /xpcshell

browser/app/moz.build

@@ -70,7 +70,8 @@ if CONFIG["CC_TYPE"] == "clang-cl":
 if CONFIG["OS_ARCH"] == "WINNT":
     RCINCLUDE = "splash.rc"
     DIRS += [
-        "pbproxy",
+        # tor-browser#41798 don't build private_browsing.exe on Windows
+        # "pbproxy",
         "winlauncher",
     ]
     USE_LIBS += [

browser/app/permissions

@@ -6,26 +6,3 @@
 # * permission is an integer between 1 and 15
 # Permissions defined here will also be set for private browsing.
 # See PermissionManager.cpp for more...
-
-# UITour
-# Bug 1557153: www.mozilla.org gets a special workaround in UITourChild.sys.mjs
-# Bug 1837407: support.mozilla.org gets a special workaround for similar reasons.
-origin	uitour	1	https://www.mozilla.org
-origin	uitour	1	https://monitor.firefox.com
-origin	uitour	1	https://screenshots.firefox.com
-origin	uitour	1	https://support.mozilla.org
-origin	uitour	1	https://truecolors.firefox.com
-origin	uitour	1	about:home
-origin	uitour	1	about:newtab
-
-# XPInstall
-origin	install	1	https://addons.mozilla.org
-
-# Remote troubleshooting
-origin	remote-troubleshooting	1	https://support.mozilla.org
-
-# addon install
-origin	install	1	https://fpn.firefox.com
-
-# autoplay video/audio
-origin	autoplay-media	1	about:welcome

browser/app/profile/firefox.js

@@ -50,9 +50,9 @@ pref("extensions.recommendations.themeRecommendationUrl", "https://color.firefox
 
 pref("extensions.update.autoUpdateDefault", true);
 
-// Check AUS for system add-on updates.
-pref("extensions.systemAddon.update.url", "https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
-pref("extensions.systemAddon.update.enabled", true);
+// No AUS check for system add-on updates for Tor Browser users.
+pref("extensions.systemAddon.update.url", "");
+pref("extensions.systemAddon.update.enabled", false);
 
 // Disable add-ons that are not installed by the user in all scopes by default.
 // See the SCOPE constants in AddonManager.jsm for values to use here.
@@ -968,7 +968,7 @@ pref("privacy.panicButton.enabled",         true);
 // Time until temporary permissions expire, in ms
 pref("privacy.temporary_permission_expire_time_ms",  3600000);
 
-// Enables protection mechanism against password spoofing for cross domain auh requests
+// Enables protection mechanism against password spoofing for cross domain auth requests
 // See bug 791594
 pref("privacy.authPromptSpoofingProtection",         true);
 
@@ -2104,6 +2104,12 @@ pref("privacy.webrtc.sharedTabWarning", false);
 // before navigating to the actual meeting room page. Doesn't survive tab close.
 pref("privacy.webrtc.deviceGracePeriodTimeoutMs", 3600000);
 
+// Enable including the content in the window title.
+// PBM users might want to disable this to avoid a possible source of disk
+// leaks.
+pref("privacy.exposeContentTitleInWindow", true);
+pref("privacy.exposeContentTitleInWindow.pbm", true);
+
 // Start the browser in e10s mode
 pref("browser.tabs.remote.autostart", true);
 pref("browser.tabs.remote.desktopbehavior", true);

browser/base/content/aboutDialog-appUpdater.js

@@ -206,7 +206,7 @@ appUpdater.prototype = {
       if (aChildID == "downloadAndInstall") {
         let updateVersion = gAppUpdater.update.displayVersion;
         // Include the build ID if this is an "a#" (nightly or aurora) build
-        if (/a\d+$/.test(updateVersion)) {
+        if (!AppConstants.BASE_BROWSER_UPDATE && /a\d+$/.test(updateVersion)) {
           let buildID = gAppUpdater.update.buildID;
           let year = buildID.slice(0, 4);
           let month = buildID.slice(4, 6);

browser/base/content/aboutDialog.js

@@ -43,21 +43,14 @@ function init() {
   }
 
   // Include the build ID and display warning if this is an "a#" (nightly or aurora) build
-  let versionId = "aboutDialog-version";
+  let versionId = "basebrowser-about-dialog-version";
   let versionAttributes = {
-    version: AppConstants.MOZ_APP_VERSION_DISPLAY,
-    bits: Services.appinfo.is64Bit ? 64 : 32,
+    version: AppConstants.BASE_BROWSER_VERSION,
+    firefoxVersion: AppConstants.MOZ_APP_VERSION_DISPLAY,
   };
 
   let version = Services.appinfo.version;
   if (/a\d+$/.test(version)) {
-    versionId = "aboutDialog-version-nightly";
-    let buildID = Services.appinfo.appBuildID;
-    let year = buildID.slice(0, 4);
-    let month = buildID.slice(4, 6);
-    let day = buildID.slice(6, 8);
-    versionAttributes.isodate = `${year}-${month}-${day}`;
-
     document.getElementById("experimental").hidden = false;
     document.getElementById("communityDesc").hidden = true;
   }

browser/base/content/aboutDialog.xhtml

@@ -30,6 +30,7 @@
   <linkset>
     <html:link rel="localization" href="branding/brand.ftl"/>
     <html:link rel="localization" href="browser/aboutDialog.ftl"/>
+    <html:link rel="localization" href="browser/base-browser.ftl"/>
   </linkset>
 
   <html:div id="aboutDialogContainer">