Skip to content

Bug 42332: Rebased Tor Browser Alpha onto 115.6.0esr

Merge Info

Related Issues



  • Immediate: patchset needed as soon as possible
  • Next Minor Stable Release: patchset that needs to be verified in nightly before backport
  • Eventually: patchset that needs to be verified in alpha before backport
  • No Backport (preferred): patchset for the next major stable

(Optional) Justification

  • Emergency security update: patchset fixes CVEs, 0-days, etc
  • Censorship event: patchset enables censorship circumvention
  • Critical bug-fix: patchset fixes a bug in core-functionality
  • Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
  • Sponsor required: patchset required for sponsor
  • Localization: typos and other localization changes that should be also in the release branch
  • Other: please explain


  • Merge to tor-browser - !fixups to tor-browser-specific commits, new features, security backports
  • Merge to base-browser - !fixups to base-browser-specific commits, new features to be shared with mullvad-browser, and security backports
    • NOTE: if your changeset includes patches to both base-browser and tor-browser please clearly label in the change description which commits should be cherry-picked to base-browser after merging

Issue Tracking


Request Reviewer

  • Request review from an applications developer depending on modified system:
    • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since gitlab only allows 1 reviewer)
    • accessibility : henry
    • android : clairehurst, dan
    • build system : boklm
    • extensions : ma1
    • firefox internals (XUL/JS/XPCOM) : ma1
    • fonts : pierov
    • frontend (implementation) : henry
    • frontend (review) : donuts, richard
    • localization : henry, pierov
    • macos : clairehurst, dan
    • nightly builds : boklm
    • rebases/release-prep : dan, ma1, pierov, richard
    • security : ma1
    • signing : boklm, richard
    • updater : pierov
    • misc/other : pierov, richard

Change Description

Alpha rebase onto 115.6.0esr.

How Tested

Range-diff + diff-of-diffs.

On mobile/android/components/geckoview/GeckoViewStartup.jsm, I removed these lines because I thought they weren't needed anymore. I used them to gate the new backend on the update channel, but we decided to follow another plan.

+const { AppConstants } = ChromeUtils.importESModule(
+  "resource://gre/modules/AppConstants.sys.mjs"

Also, TorProviderBuilder, TorConnect and TorSettings were added to that file in the tor-launcher commit, but modified in the new Tor Android Integration commit.

So, I added a new fixup! to remove them.

security/certverifier/CertVerifier.cpp is the other problem. We had a conflict with upstream (Bug 1611381), and my proposal in this MR is slightly different than the proposal in the stable MR.

I think we should restrict the acceptance of the self-signed onion certificate only to the original condition (Result::ERROR_UNKNOWN_ISSUER). ERROR_INADEQUATE_KEY_USAGE and ERROR_BAD_SIGNATURE should generate an error, in my opinion.

The range-diff has a lot of fun because of me moving files to toolkit and switching to modules. Also, a lot of removed strings that got squashed to the TorStrings commit. Apart from that, it looks clean enough.

Merge request reports