Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2020-10-09T17:00:18Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40131Review developer notes for Firefox 822020-10-09T17:00:18ZGeorg KoppenReview developer notes for Firefox 82https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/82 are
the notes to look athttps://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/82 are
the notes to look atTor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40116Investigate LOAD_FLAGS_BYPASS_PROXY usage2020-09-09T07:34:27ZGeorg KoppenInvestigate LOAD_FLAGS_BYPASS_PROXY usageMike flagged `LOAD_FLAGS_BYPASS_PROXY` usage in his [proxy
audit](https://gitlab.torproject.org/tpo/applications/fenix/-/issues/34177),
so we should look at it closer.
I _think_ this is just a way to indicate that proxy caches should be...Mike flagged `LOAD_FLAGS_BYPASS_PROXY` usage in his [proxy
audit](https://gitlab.torproject.org/tpo/applications/fenix/-/issues/34177),
so we should look at it closer.
I _think_ this is just a way to indicate that proxy caches should be
bypassed and does not mean that suddenly connections bypass the network
proxy settings, see the
[MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIWebNavigation)
explanation of that flag:
```
This flag specifies that any intermediate proxy caches should be
bypassed (That is, that the content should be loaded from the origin
server).
```
We'll see whether my basic understanding is right here...Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/401132020 EOY Campaign2021-08-13T23:08:02ZAntonelaantonela@torproject.org2020 EOY CampaignThis ticket aims to track the implementation of the end of year campaign in the Tor Browser's `about:tor`. Assets are attached.
https://use-tor.glitch.me/This ticket aims to track the implementation of the end of year campaign in the Tor Browser's `about:tor`. Assets are attached.
https://use-tor.glitch.me/Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40112Check that caching stylesheets per document group adheres to FPI2020-09-11T12:26:37ZGeorg KoppenCheck that caching stylesheets per document group adheres to FPIFirefox 80 comes with [caching stylesheets per document
group](https://bugzilla.mozilla.org/show_bug.cgi?id=1599160). Mozilla
thinks that
[needs](https://bugzilla.mozilla.org/show_bug.cgi?id=1646640)
[partitioning](https://bugzilla.mozil...Firefox 80 comes with [caching stylesheets per document
group](https://bugzilla.mozilla.org/show_bug.cgi?id=1599160). Mozilla
thinks that
[needs](https://bugzilla.mozilla.org/show_bug.cgi?id=1646640)
[partitioning](https://bugzilla.mozilla.org/show_bug.cgi?id=1645987) for
their [top-level site
partitioning](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107),
which is roughly equivalent to first-party isolation. The relevant check
implemented is
```
nsIPrincipal* Loader::PartitionedPrincipal() const {
if (mDocument && StaticPrefs::privacy_partition_network_state()) {
return mDocument->PartitionedPrincipal();
}
return LoaderPrincipal();
}
```
which is not checking the FPI pref. So, I guess we need to investigate
what the FPI story is.Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40109Playing videos breaks after reloading pages in ESR 78-based builds2020-10-07T09:23:52ZGeorg KoppenPlaying videos breaks after reloading pages in ESR 78-based buildsWe set `browser.privatebrowsing.forceMediaMemoryCache` to `true` in
#33856. It turns out that this caused a
[regression](https://bugzilla.mozilla.org/show_bug.cgi?id=1650281) which
lead to videos breaking if one re-loads pages (see [comm...We set `browser.privatebrowsing.forceMediaMemoryCache` to `true` in
#33856. It turns out that this caused a
[regression](https://bugzilla.mozilla.org/show_bug.cgi?id=1650281) which
lead to videos breaking if one re-loads pages (see [comment
3](https://bugzilla.mozilla.org/show_bug.cgi?id=1650281#c3) for steps to
reproduce).
Lucklily, this is already fixed in Firefox 80 and the patches are small.
We should backport them.Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40098Initialize torbutton for Geckoview and make sure its features work as expecte...2020-09-01T11:25:09ZAlex CatarineuInitialize torbutton for Geckoview and make sure its features work as expected in FenixTor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40097Rebase browser patches to 81.0b12020-08-27T19:20:33ZGeorg KoppenRebase browser patches to 81.0b1Our monthly rebase to the first new Mozilla beta.
- [x] torbutton#40006Our monthly rebase to the first new Mozilla beta.
- [x] torbutton#40006Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40096Review closed Mozilla bugs between 79-81 (inclusive) for GeckoView2020-10-11T20:34:02ZGeorg KoppenReview closed Mozilla bugs between 79-81 (inclusive) for GeckoViewWe need to review close Mozilla bugs between 79-81 (inclusive) for newly
landed features/fixed bugs that are affecting GeckoView. (Thus, we might
be able to skip the Firefox part in this ticket to save some time)We need to review close Mozilla bugs between 79-81 (inclusive) for newly
landed features/fixed bugs that are affecting GeckoView. (Thus, we might
be able to skip the Firefox part in this ticket to save some time)Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40095Review Mozilla developer notes for 79-81 (including)2020-09-17T10:47:04ZGeorg KoppenReview Mozilla developer notes for 79-81 (including)For mobile we need to review the Mozilla developer notes between 79-81
(including) watching out for proxy, linkability, and fingerprinting issues.
(There will be an own ticket for proxy bypass audit, though)For mobile we need to review the Mozilla developer notes between 79-81
(including) watching out for proxy, linkability, and fingerprinting issues.
(There will be an own ticket for proxy bypass audit, though)Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40090Disable v3 extension blocklist for 10.0a62020-09-09T15:44:35ZGeorg KoppenDisable v3 extension blocklist for 10.0a6https://bugzilla.mozilla.org/show_bug.cgi?id=1631018 landed and is
enabling the v3 extension blocklist mechanism.
We are not sure how this effects our HTTPS-Everywhere extension. So, we
disable that mechanism for now.https://bugzilla.mozilla.org/show_bug.cgi?id=1631018 landed and is
enabling the v3 extension blocklist mechanism.
We are not sure how this effects our HTTPS-Everywhere extension. So, we
disable that mechanism for now.Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40082Safest security level - Javascript cannot be temporarily enabled, NoScript "O...2020-08-21T10:51:59ZwesinatorSafest security level - Javascript cannot be temporarily enabled, NoScript "Override Tor Browser Security Level preset" does not work```
macOS 10.14.6
TorBrowser 9.5.3 clean install via brew cask
```
It seems Javascript cannot be enabled at all from NoScript under Safest security level, even when NoScript "Override Tor Browser Security Level preset" is checked, and t...```
macOS 10.14.6
TorBrowser 9.5.3 clean install via brew cask
```
It seems Javascript cannot be enabled at all from NoScript under Safest security level, even when NoScript "Override Tor Browser Security Level preset" is checked, and the NoScript host setting is set to temporarily trusted.
To reproduce:
- Site that requires Javascript, like https://www.virustotal.com/gui/home
- Temporarily trust hosts under NoScript
Javascript is not enabled at all despite NoScript trusted settings and override
Many sites require javascript at some point to be functional, such as sites that use Cloudflare or other CDNs with captcha pages
possibly related to PDFs not rendering ? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/33721Tor Browser: 10.0Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40073Consider disabling remote Public Suffix List fetching2022-06-09T08:28:20ZAlex CatarineuConsider disabling remote Public Suffix List fetchingIn https://bugzilla.mozilla.org/show_bug.cgi?id=1563246 Firefox started fetching the PSL via `RemoteSettings` and replacing the default one at runtime. AFAIK this would override our changes in `effective_tld_names.dat` from #28005, so we...In https://bugzilla.mozilla.org/show_bug.cgi?id=1563246 Firefox started fetching the PSL via `RemoteSettings` and replacing the default one at runtime. AFAIK this would override our changes in `effective_tld_names.dat` from #28005, so we should consider a patch to disable this.Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40048Disable various ESR78 features via prefs2022-11-09T11:02:31ZKathleen BradeDisable various ESR78 features via prefsFrom #33534:
- browser.region.network.scan --> false
- browser.region.network.url --> ""
- Obtain WiFi location information from a Mozilla server.
- browser.tabs.remote.separatedMozillaDomains --> ""
- This is a list of mozilla d...From #33534:
- browser.region.network.scan --> false
- browser.region.network.url --> ""
- Obtain WiFi location information from a Mozilla server.
- browser.tabs.remote.separatedMozillaDomains --> ""
- This is a list of mozilla domains which are allowed to be loaded in a privileged process.
- browser.urlbar.dnsResolveSingleWordsAfterSearch --> false
- DNS look up is done for single word terms after a search fails.
- browser.urlbar.suggest.topsites --> false
- browser.urlbar.update1.interventions --> false
- browser.urlbar.update1.searchTips --> false
- corroborator.enabled --> false
- Triggers detection of corruption (e.g. in omni.ja) and reporting via telemetry. Avoid doing wasted work.
- device.storage.enabled --> false (Android)
- dom.push.enabled --> false
- dom.w3c_pointer_events.multiprocess.android.enabled --> false (Android)
- messaging-system.rsexperimentloader.enabled --> false (about:newtab)
- network.trr.resolvers --> ""
- part of DoH; "defense in depth"
- privacy.socialtracking.block_cookies.enabled --> false
- part of tracking protection
- security.pki.crlite_mode --> 0
- This is 1 by default which is a non-enforcing mode focused on collecting telemetry. We should set it to 0 to avoid downloading data from Mozilla.
- signon.management.page.breach-alerts.enabled --> false
- Firefox displays critical alerts in the Lockwise password manager when a website is breached.
- signon.management.page.mobileAndroidURL --> ""
- signon.management.page.mobileAppleURL --> ""
- about:logins page to redirect users to Google Play and Apple's App Store for obtaining Mozilla's LockWise mobile apps.
- trailhead.firstrun.branches --> ""
- For Firefox developers to enable experiments.Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40047Backport 1450853 - MediaError message property leaks cross-origin response st...2020-08-07T13:41:25ZMatthew FinkelBackport 1450853 - MediaError message property leaks cross-origin response statushttps://bugzilla.mozilla.org/show_bug.cgi?id=1450853https://bugzilla.mozilla.org/show_bug.cgi?id=1450853Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40038Review RemoteSettings for ESR782020-08-25T10:35:19ZAlex CatarineuReview RemoteSettings for ESR78We should revisit #31740 for ESR78. In a first inspection I could see requests to `url-classifier-skip-urls`, which the current patch should have removed.
We could also use the opportunity to simplify the patch a bit, for example trying...We should revisit #31740 for ESR78. In a first inspection I could see requests to `url-classifier-skip-urls`, which the current patch should have removed.
We could also use the opportunity to simplify the patch a bit, for example trying to make all the changes in a single place (e.g. something like a blacklist of bucket/collection somewhere in the RemoteSettings client code).Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40455Block or recover background requests after bootstrap2021-07-07T06:15:55ZMatthew FinkelBlock or recover background requests after bootstrapWith #27476, background requests fail before bootstrapping completes because Tor rejects the proxy request. In some instances, these requests are not retried again, in others they are retried after a long period, and in others they are r...With #27476, background requests fail before bootstrapping completes because Tor rejects the proxy request. In some instances, these requests are not retried again, in others they are retried after a long period, and in others they are retried within a short period.
Known background requests:
- HTTPS Everywhere ruleset updates
- Mozilla Blocklist updates
- Tor Browser Updates
We know https-everywhere does not handle fetch failures, and only tries fetching updates again after 24 hours. I believe we can send a `update_update_channel` message, similar to our behavior in febcaf62ee9a85b2c3be638275ae063d34f46e76, and force an update after we successfully bootstrap.
For Firefox's background updates, we may be able to take advantage of Firefox's `offline` mode (`Service.io.offline`), and Firefox will delay updates until we're "online":
- https://searchfox.org/mozilla-central/source/netwerk/base/nsIIOService.idl#160
- https://searchfox.org/mozilla-central/source/netwerk/base/nsIOService.cpp#1228Tor Browser: 10.5richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40429Update Onboarding for 10.52021-06-30T23:00:42ZMatthew FinkelUpdate Onboarding for 10.5Tor Browser: 10.5donutsdonutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40340Rebase 10.5 patches onto 78.8.0esr2021-02-19T22:12:34ZMatthew FinkelRebase 10.5 patches onto 78.8.0esrbace0d2a46cabd36f5bdc738c000f15ae4a4225cbace0d2a46cabd36f5bdc738c000f15ae4a4225cTor Browser: 10.5https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40311Rebase tor-browser patches to 86.0b12021-01-30T21:50:06ZMatthew FinkelRebase tor-browser patches to 86.0b1fc3f73adfa343dfd1099edbede1628722786326cfc3f73adfa343dfd1099edbede1628722786326cTor Browser: 10.5https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40274Create new nightly MAR signing key2021-01-11T21:37:32ZGeorg KoppenCreate new nightly MAR signing keyIn tor-browser-build#40146 we moved to our new signing machine but we
kept for now the old nightly signing key. We baked in a second MAR
signing key which should take over in a couple of days. However, before
that one moves into the firs...In tor-browser-build#40146 we moved to our new signing machine but we
kept for now the old nightly signing key. We baked in a second MAR
signing key which should take over in a couple of days. However, before
that one moves into the first position and onto our signing machine we
want to have a new backup key embeddedTor Browser: 10.5Georg KoppenGeorg Koppen