Bug 41988/1849186: Add a preference not to expose the content title in the window title

Merge Info

Related Issues

• #41988
• mullvad-browser#xxxxx
• tor-browser-build#xxxxx
• Bug 1849186

Backporting

Timeline

• Immediate: patchset needed as soon as possible
• Next Minor Stable Release: patchset that needs to be verified in nightly before backport
• Eventually: patchset that needs to be verified in alpha before backport
• No Backport (preferred): patchset for the next major stable

We need some user feedback first, to see how it's received.

Also, we might do some additional UX to easily enable/disable this.

(Optional) Justification

• Emergency security update: patchset fixes CVEs, 0-days, etc
• Censorship event: patchset enables censorship circumvention
• Critical bug-fix: patchset fixes a bug in core-functionality
• Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
• Sponsor required: patchset required for sponsor
• Other: please explain
  • This is a disk leak, but it should be very unlikely. Also, it might cause some breakage for users (all alt-tab entries will display only "Tor Browser"), so we might want to get users feedback about that before backporting, and maybe adding a UI to disable it easily. Overall, I'd expect the breakage to be higher than the actual possibility of leaks, but maybe I'm wrong and users will immediately accept this tradeoff (I'm happy with it for sure, and knowing why it's like that I'm happy someone found it). Anyway, I think it's so important that it's worth mentioning in the blog post.

Merging

• Merge to tor-browser - !fixups to tor-browser-specific commits, new features, security backports
• Merge to base-browser - !fixups to base-browser-specific commits, new features to be shared with mullvad-browser, and security backports
  • NOTE: if your changeset includes patches to both base-browser and tor-browser please clearly label in the change description which commits should be cherry-picked to base-browser after merging

Issue Tracking

• Link resolved issues with appropriate Release Prep issue for changelog generation

Review

Request Reviewer

• Request review from an applications developer depending on modified system:
  • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since gitlab only allows 1 reviewer)
  • accessibility : henry
  • android : clairehurst, dan
  • build system : boklm
  • extensions : ma1
  • firefox internals (XUL/JS/XPCOM) : ma1
  • fonts : pierov
  • frontend (implementation) : henry
  • frontend (review) : donuts, richard
  • localization : henry, pierov
  • macos : clairehurst, dan
  • nightly builds : boklm
  • rebases/release-prep : dan, ma1, pierov, richard
  • security : ma1
  • signing : boklm, richard
  • updater : pierov
  • misc/other : pierov, richard

Change Description

A user noticed GNOME Shell leaked the pages they visited in Tor Browser in system logs, to identify a window causing a problem.

I think the reason was that their computer was being unresponsive, so it isn't something that I'd expect users to normally experience.

Still, it's a disk leak, and I think it's an acceptable tradeoff not to show the page title in the window title by default.

Maybe we should add a UI element in about:preferences to disable this protection.

How Tested

Upstream patch with appropriate testing and a pref flip.

I've checked that after flipping the pref, the activities window shows only "Tor Browser" as a title.

It can be also checked when showing the window titlebar:

Screenshot