Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2023-11-27T14:41:42Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42074YEC 2023 Takeover for Android Stable2023-11-27T14:41:42ZnicobYEC 2023 Takeover for Android StableEach year from <span dir="">\~</span>mid-October through the end of December, the Tor Project runs its year-end fundraising campaign (aka "YEC"). This is the time during which we raise the most money per year from individual donors. A ke...Each year from <span dir="">\~</span>mid-October through the end of December, the Tor Project runs its year-end fundraising campaign (aka "YEC"). This is the time during which we raise the most money per year from individual donors. A key strategy in this campaign is a branded takeover of about:tor (desktop + mobile) that includes the year-end campaign "mini brand," new assets, a fundraising message, and a donate button. cc @richard
Key dates:
* **Monday, October 16** - gated YEC takeover of about:tor appears
* **Monday, November 13** - second gated YEC takeover of about:tor appears
**Please note that the current illustration within these designs is a placeholder**, and the final illustration asset will be shared soon when it's finalized. Aside from that, everything here has been approved to begin implementation:
* Figma files for inspection: [23 Year End Campaign](https://www.figma.com/file/f8KvYdzeZPvs4KpJMLJumD/23-Year-End-Campaign?type=design&node-id=27%3A11557&mode=design&t=DzYvge9oyxXoCu6K-1)
* Illustration:[yec-illustration-android.svg](/uploads/093aeed7ba10b9ae7b3d1675d67c9229/yec-illustration-android.svg)
* heart svg for button:[heart.svg](/uploads/181b77f5cd7abad67379bbf4e27df3f9/heart.svg)
* Font: `Roboto`
* Background color: `#1F0333`
* Text color: `#FBFBFE`
* Button background color: `#FFBD4F`
* Button text color: `#1F0333`
* Can we anchor the donate button to the main content area of donate.torproject.org again like last year? @smith please chime in here if there's a specific redirect URL link you're using for metrics
Last year's ticket for reference: [YEC 2022 Takeover for Android Stable](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41302 "YEC 2022 Takeover for Android Stable")
about:tor android mockup:
![about_tor-android2x.png](/uploads/e6c3555a5d60c503b5ee73d0d49bae43/about_tor-android2x.png){width=298 height=629}
about:tor android LTR mockup:
![about_tor-android-LTR2x.png](/uploads/b811c4ae136bec35bbc0e6a0ecbf321c/about_tor-android-LTR2x.png){width=301 height=636}Year End Campaign 2023Dan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42072YEC 2023 Takeover for Desktop Stable2023-11-27T13:52:36ZnicobYEC 2023 Takeover for Desktop StableEach year from <span dir="">\~</span>mid-October through the end of December, the Tor Project runs its year-end fundraising campaign (aka "YEC"). This is the time during which we raise the most money per year from individual donors. A ke...Each year from <span dir="">\~</span>mid-October through the end of December, the Tor Project runs its year-end fundraising campaign (aka "YEC"). This is the time during which we raise the most money per year from individual donors. A key strategy in this campaign is a branded takeover of about:tor (desktop + mobile) that includes the year-end campaign "mini brand," new assets, a fundraising message, and a donate button. cc @henry
Key dates:
* **Monday, October 16** - gated YEC takeover of about:tor appears
* **Monday, November 13** - second gated YEC takeover of about:tor appears
**Please note that the current illustration within these designs is a placeholder**, and the final illustration asset will be shared soon when it's finalized. Aside from that, everything here has been approved to begin implementation:
* Figma files for inspection: [23 Year End Campaign](https://www.figma.com/file/f8KvYdzeZPvs4KpJMLJumD/23-Year-End-Campaign?type=design&node-id=27%3A11557&mode=design&t=DzYvge9oyxXoCu6K-1)
* Illustration:[yec-illustration-desktop.svg](/uploads/ba0b67262292a53cc67a1fbe02b4003e/yec-illustration-desktop.svg)
* Font: `SF Pro`
* Background color: `#1F0333`
* Can we anchor the donate button to the main content area of donate.torproject.org again like last year? @smith please chime in here if there's a specific redirect URL link you're using for metrics
Last year's ticket for reference: [YEC 2022 Takeover for Desktop Stable](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41303)
about:tor desktop:
![about_tor-desktop2x.png](/uploads/4beb1ed4f74cdcc1a49da980d82c628b/about_tor-desktop2x.png){width="832" height="640"}
about:tor desktop LTR:
![about_tor-desktop-LTR2x.png](/uploads/45646d5f144f8b0cad0d7e93056693b5/about_tor-desktop-LTR2x.png){width="834" height="641"}Year End Campaign 2023henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42184Setting "Homepage and new windows" ignores "Blank Page" value2023-11-26T15:38:20Zpf.teamSetting "Homepage and new windows" ignores "Blank Page" valueSteps to reproduce:
1. Run TB 13.0.
2. Open: about:preferences#home
3. Set "Homepage and new windows" to the "Blank Page" value.
4. Restart TB.
Environment: Linux (x86_64).
Expected result: a new TB instance shows about:blank page.
A...Steps to reproduce:
1. Run TB 13.0.
2. Open: about:preferences#home
3. Set "Homepage and new windows" to the "Blank Page" value.
4. Restart TB.
Environment: Linux (x86_64).
Expected result: a new TB instance shows about:blank page.
Actual result: a new TB instance shows about:tor page.henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41327Disable UrlbarProviderInterventions2023-11-20T16:40:54ZPier Angelo VendrameDisable UrlbarProviderInterventions@cypherpunks1 said that urlbar interventions are not disabled in Tor Browser, and that the preference we are using (`browser.urlbar.update1.interventions`) is obsolete (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/iss...@cypherpunks1 said that urlbar interventions are not disabled in Tor Browser, and that the preference we are using (`browser.urlbar.update1.interventions`) is obsolete (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40783#note_2838323).
I am not familiar with this part of Firefox. From a quick search, I found that they can be still disabled with enterprise policies.
We should check why we disabled them in the first place, if it's still needed, or if we can keep them enabled.Sponsor 131 - Phase 2 - Privacy Browserrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42188Donations are asked repeatedly when I click New identity button2023-11-16T18:27:39ZcypherpunksDonations are asked repeatedly when I click New identity buttonDonations are asked repeatedly when I click New identity button. I already click X on the donation window and I expect it to hide from now but you insisted on displaying it over and over.Donations are asked repeatedly when I click New identity button. I already click X on the donation window and I expect it to hide from now but you insisted on displaying it over and over.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41734Add a `Connected` flag to indicate which built-in bridge option Tor Browser i...2023-11-14T18:34:58ZDan BallardAdd a `Connected` flag to indicate which built-in bridge option Tor Browser is currently usingLeft over bridges UX work from #41617:
* [ ] Adding a `✔ Connected` flag to indicate with built-in bridge option Tor Browser is currently using
The Figma file is ready for dev handoff here: [Figma link](https://www.figma.com/file/RS584...Left over bridges UX work from #41617:
* [ ] Adding a `✔ Connected` flag to indicate with built-in bridge option Tor Browser is currently using
The Figma file is ready for dev handoff here: [Figma link](https://www.figma.com/file/RS584DcR4emXrw1F8g3l5x/Tor-Browser-12.5?node-id=62%3A10116&t=41hhHGHnJTkIHnmo-1)henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42154Empty the clipboard on browser shutdown only if content comes from private br...2023-11-07T16:50:23Zcypherpunks1Empty the clipboard on browser shutdown only if content comes from private browsing windowsThe user may not expect or need this feature (#42019) and maybe it should additionally be disabled for non-private browsing mode.
One issue is that the clipboard is emptied even if its contents did not originate from a browser.The user may not expect or need this feature (#42019) and maybe it should additionally be disabled for non-private browsing mode.
One issue is that the clipboard is emptied even if its contents did not originate from a browser.ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42222Fix TorDomainIsolator initialization on Android2023-11-06T20:47:38ZPier Angelo VendrameFix TorDomainIsolator initialization on AndroidIn TBA 13.0aX and 13.0.X (until 13.0.2) the domain isolator is not being initialized incorrectly.
It seems the `TorStartupService` isn't being loaded (even though I'm quite sure it looks like exactly the one we had in Torbutton).
I don...In TBA 13.0aX and 13.0.X (until 13.0.2) the domain isolator is not being initialized incorrectly.
It seems the `TorStartupService` isn't being loaded (even though I'm quite sure it looks like exactly the one we had in Torbutton).
I don't know if it's due to the XPCOM changes that happened between 102 and 115, or if it's just because of the various refactors.
Since we don't have a circuit display, the only way to notice this is going to different sites that show the IP address, and notice that they have the same one, but we'd expect them to be isolated.
Some Tor-friendly ones are:
- https://check.torproject.org/
- https://www.wtfismyip.com/
- https://myip.wtf/ (same as the previous one, but different FP domain for TBB :smile:)
- https://mullvad.net/en/check
When we finally start working on tests we should also have a test that checks circuit FPI.Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41766TTP-02-001 WP1: XSS in TorConnect's captive portal (Info)2023-10-19T13:37:48ZrichardTTP-02-001 WP1: XSS in TorConnect's captive portal (Info)>>>
## Description:
TorConnect's captive portal performs a redirect to a URL that is retrieved from the **redirect** parameter located in the **query** string. No validations are performed to guarantee that the scheme of the URL is valid...>>>
## Description:
TorConnect's captive portal performs a redirect to a URL that is retrieved from the **redirect** parameter located in the **query** string. No validations are performed to guarantee that the scheme of the URL is valid before having it used in the redirection. Note that the next step is performed after the user successfully connects to TOR.
Fortunately, arbitrary JavaScript execution is prevented due to the strict CSP policy that is applied to the `about:torconnect` page. Hence, the severity has appropriately been set at **Info** only.
## Affected file:
_browser/components/torconnect/content/aboutTorConnect.js_
## Affected code:
```javascript
async init() {
// see if a user has a final destination after bootstrapping
let params = new URLSearchParams(new URL(document.location.href).search);
if (params.has("redirect")) {
const encodedRedirect = params.get("redirect");
this.redirect = decodeURIComponent(enodedRedirect);
} else {
// if the user gets here manually or via the button in the urlbar
// then we will redirect to about:tor
this.redirect = "about:tor";
}[...]
}
```
## Steps to reproduce:
1. Open the Tor Browser and access `about:torconnect?redirect=javascript:alert(document.domain);`
2. Click on Connect and check the DevTools to verify that JavaScript execution was prevented by CSP.
To mitigate this issue, Cure53 advises validating the scheme of the URL from the **redirect** parameter, and verifying it against an allow-list of safe schemes.
>>>ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41833Reload extensions on new identity2023-10-17T20:49:47Zma1Reload extensions on new identityNew Identity is perceived and advertised as a sort of "soft restart" which, among other things, resets all the linkable state.
However extensions don't get reloaded or even notified, therefore they've got no chance of resetting their st...New Identity is perceived and advertised as a sort of "soft restart" which, among other things, resets all the linkable state.
However extensions don't get reloaded or even notified, therefore they've got no chance of resetting their state as they should for this feature to be consistent when they're present.
/cc @pierov @ruihildtma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41303YEC 2022 Takeover for Desktop Stable2023-10-16T14:52:51ZrichardYEC 2022 Takeover for Desktop StableFor reference here is the torbutton MR from last year's: https://gitlab.torproject.org/tpo/applications/torbutton/-/merge_requests/64
Last I heard, YEC is scheduled to go live the week of October 17, but there's on stable scheduled near...For reference here is the torbutton MR from last year's: https://gitlab.torproject.org/tpo/applications/torbutton/-/merge_requests/64
Last I heard, YEC is scheduled to go live the week of October 17, but there's on stable scheduled near that time frame. So, we will add the functionality and gate it behind a date check.
@nicob @duncan We need assets please!Year End Campaign 2022henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41581ESR115: figure out extension pinning / unified Extensions2023-10-12T22:13:43ZThorinESR115: figure out extension pinning / unified ExtensionsIIUIC we don't ship with NoScript on the toolbar (and in the past we also removed HTTPS-Everywhere?) - not sure of the full reasons, but width is at a premium and I believe the idea was to get users to use the slider, not NS itself. Corr...IIUIC we don't ship with NoScript on the toolbar (and in the past we also removed HTTPS-Everywhere?) - not sure of the full reasons, but width is at a premium and I believe the idea was to get users to use the slider, not NS itself. Correct me if I'm wrong
```js
user_pref("extensions.unifiedExtensions.enabled", false);
```
Note: there's [1808459](https://bugzilla.mozilla.org/show_bug.cgi?id=1808459) Unified Extensions when empty ignores `extensions.getAddons.showPane` - but hopefully that will be fixed come ESR115henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42167Make the preference auto-focus more reliable2023-10-11T12:23:15ZhenryMake the preference auto-focus more reliableRight now testing with NVDA, the auto-focus implemented for https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41454 was not always reliable in getting the screen reader to read the Security Level panel.Right now testing with NVDA, the auto-focus implemented for https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41454 was not always reliable in getting the screen reader to read the Security Level panel.henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42166New identity dialog missing accessible name2023-10-11T12:22:45ZhenryNew identity dialog missing accessible nameThe new identity dialog is missing an accessible name, causing it to use the "chrome:" path as the dialog as a fallback.The new identity dialog is missing an accessible name, causing it to use the "chrome:" path as the dialog as a fallback.henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41600Some users have difficulty finding the circuit display2023-10-11T12:10:02ZdonutsSome users have difficulty finding the circuit displayIn recent usability testing conducted for ~"Sponsor 30" @nah discovered that:
> During this study, **participant 3** pointed that they never used the `New Circuit` because they didn't know where it was. And as most browsers use the padl...In recent usability testing conducted for ~"Sponsor 30" @nah discovered that:
> During this study, **participant 3** pointed that they never used the `New Circuit` because they didn't know where it was. And as most browsers use the padlock to show website certificate, so they would never look for it there. They suggested to change the icon for the `New Circuit`, to make it more visible.(https://gitlab.torproject.org/tpo/ux/research/-/issues/91#note_2840558)
This has also been reported by an independent user researcher here: https://gitlab.torproject.org/tpo/ux/research/-/issues/34
And came up during user interviews for ~"Sponsor 101" too: https://gitlab.torproject.org/tpo/ux/research/-/issues/70
If possible, I'd like to explore potential fixes for this issue in time for the usability testing scheduled in March/April.Sponsor 30 - Objective 3.5henryhenry2023-04-17https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41727WebRTC privacy-hardening settings2023-10-09T17:50:23Zma1WebRTC privacy-hardening settingsAs noted in mullvad-browser#151, the most sensible preference changes to harden WebRTC privacy for our use cases seem to be:
- `media.peerconnection.ice.relay_only` -> `false`
- `media.peerconnection.ice.default_address_only` -> `true`
...As noted in mullvad-browser#151, the most sensible preference changes to harden WebRTC privacy for our use cases seem to be:
- `media.peerconnection.ice.relay_only` -> `false`
- `media.peerconnection.ice.default_address_only` -> `true`
- `media.peerconnection.ice.proxy_only_if_behind_proxy` -> `true`ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42138Disable apz.overscroll.enabled pref2023-10-09T15:40:51ZrichardDisable apz.overscroll.enabled prefDisable overscroll on all platforms to minimize touch-related fingerprinting entropy.Disable overscroll on all platforms to minimize touch-related fingerprinting entropy.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41956Update Tor Browser's brand assets2023-10-09T15:26:59ZdonutsUpdate Tor Browser's brand assetsThis is the ~Meta issue to track branding updates planned for an upcoming release of Tor Browser.This is the ~Meta issue to track branding updates planned for an upcoming release of Tor Browser.nicobnicobhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42010Review Mozilla 1810641: Enable overscroll on Windows on all channels2023-10-05T12:57:01ZrichardReview Mozilla 1810641: Enable overscroll on Windows on all channelsLink: https://bugzilla.mozilla.org/show_bug.cgi?id=1810641
@thorin is overscroll something we need to consider re ~Fingerprinting or is it a case where so-long as everyone has it it's fine. Skimming the ticket suggests the overscroll on...Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1810641
@thorin is overscroll something we need to consider re ~Fingerprinting or is it a case where so-long as everyone has it it's fine. Skimming the ticket suggests the overscroll only happens when scrolling via touch.
EDIT: fwiw enabling the provided pref on Linux did not enable any new functionality on my laptop, but libinput is kind of a shitshow w/ regards to touchpad support/functionality so it may just be seeing it a mouse+scroll wheel.
/cc @donutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41854Download Spam Protection cannot be overridden to allow legitimate downloads2023-10-05T12:50:33ZdonutsDownload Spam Protection cannot be overridden to allow legitimate downloadsA user has reported the following issue with file downloads on 12.0.7 [on the forum](https://forum.torproject.net/t/download-bug-in-tor-browser-12-0-7/8043):
> I’m on Linux, with Tor Browser 12.0.7
>
> I’m trying to download (PDF) file...A user has reported the following issue with file downloads on 12.0.7 [on the forum](https://forum.torproject.net/t/download-bug-in-tor-browser-12-0-7/8043):
> I’m on Linux, with Tor Browser 12.0.7
>
> I’m trying to download (PDF) files from a site i’ve downloaded from many times before.
>
> - Get a yellow triangle on downloads icon.
> - open it and it says “Downloads blocked from ”
> - click Show more information
> - says “ attempted to automatically download multiple files. The site could be broken or trying to store spam files on your device.”
>
> Options to “Allow Download” or “Remove Files” don’t seem to do anything or change the behavior.
>
> Each time I click a link to download a file from this site I get another message like this. (it worked the first time)
At least [two other users on reddit](https://old.reddit.com/r/TOR/comments/146ge44/download_bug_in_tor_browser_1207/) have reported the same bug. However it's seemingly not an issue in 12.5a7 [according to the original reporter](https://forum.torproject.net/t/download-bug-in-tor-browser-12-0-7/8043).ma1ma1