torbutton issueshttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues2022-05-26T01:30:07Zhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/29334Exception when running the garbage collection during new identity2022-05-26T01:30:07ZGeorg KoppenException when running the garbage collection during new identityDuring `New Identity` we run some fancy code to make sure we are really have a clean state after closing and reopening the browser:
```
// Run garbage collection and cycle collection after window is gone.
// This ensures that blob UR...During `New Identity` we run some fancy code to make sure we are really have a clean state after closing and reopening the browser:
```
// Run garbage collection and cycle collection after window is gone.
// This ensures that blob URIs are forgotten.
window.addEventListener("unload", function (event) {
torbutton_log(3, "Initiating New Identity GC pass");
// Clear out potential pending sInterSliceGCTimer:
m_tb_domWindowUtils.runNextCollectorTimer();
// Clear out potential pending sICCTimer:
m_tb_domWindowUtils.runNextCollectorTimer();
// Schedule a garbage collection in 4000-1000ms...
m_tb_domWindowUtils.garbageCollect();
// To ensure the GC runs immediately instead of 4-10s from now, we need
// to poke it at least 11 times.
// We need 5 pokes for GC, 1 poke for the interSliceGC, and 5 pokes for CC.
// See nsJSContext::RunNextCollectorTimer() in
// https://mxr.mozilla.org/mozilla-central/source/dom/base/nsJSEnvironment.cpp#1970.
// XXX: We might want to make our own method for immediate full GC...
for (let poke = 0; poke < 11; poke++) {
m_tb_domWindowUtils.runNextCollectorTimer();
}
// And now, since the GC probably actually ran *after* the CC last time,
// run the whole thing again.
m_tb_domWindowUtils.garbageCollect();
for (let poke = 0; poke < 11; poke++) {
m_tb_domWindowUtils.runNextCollectorTimer();
}
```
That leads to an exception in `chrome://extensions/content/ext-tabs-base.js` in some cases at
```
get frameLoader() {
return this.browser.frameLoader;
```
as it is not guaranteed that `browser` is still a thing during that operation. An example where this occurs is
1) On `about:page` open the link to our newsletter in a new tab
2) Open the browser console
3) Hit `New Identity`
This got reported on our blog https://blog.torproject.org/comment/279507#comment-279507 ff.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/28745THE Torbutton clean-up2022-12-08T15:15:25ZGeorg KoppenTHE Torbutton clean-upThat is the parent ticket for all things Torbutton clean-up, now that we included it into `tor-browser`. It's not clear yet how we'll be restructuring it but it's clear that a lot of old cruft has to go. This will be done in child tickets.That is the parent ticket for all things Torbutton clean-up, now that we included it into `tor-browser`. It's not clear yet how we'll be restructuring it but it's clear that a lot of old cruft has to go. This will be done in child tickets.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/28544about:tor onion along the bottom have inconsistent widths2022-05-26T01:29:35Zrichardabout:tor onion along the bottom have inconsistent widthsSee attached image. I looked into this briefly in the debugger a week or two back and the underlying causes is that the whole and half solid-fill onions do not have a css border or it's not taken into account when calculating widthsSee attached image. I looked into this briefly in the debugger a week or two back and the underlying causes is that the whole and half solid-fill onions do not have a css border or it's not taken into account when calculating widthshttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/28323TBB often opens on secondary monitor2022-05-26T01:29:05ZTracTBB often opens on secondary monitorWhen starting TBB or when hitting Ctrl+Shift+U to request a new identity the browser window opens on the secondary monitor (of two total). It is quite annoying if the secondary monitor is turned off (e.g. I sometimes use only the primary...When starting TBB or when hitting Ctrl+Shift+U to request a new identity the browser window opens on the secondary monitor (of two total). It is quite annoying if the secondary monitor is turned off (e.g. I sometimes use only the primary).
**Trac**:
**Username**: heyjoehttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/27732New Identity does not reset NoScript's Temporarily Trusted settings2022-05-26T01:24:54ZTracNew Identity does not reset NoScript's Temporarily Trusted settingsSteps to reproduce:
1. Set any random website to Temporarily Trusted
2. Hit New Identity
3. Go back to the website later on, the temporarily permission to execute JavaScript is still preserved.
This can be solved by closing and re-openi...Steps to reproduce:
1. Set any random website to Temporarily Trusted
2. Hit New Identity
3. Go back to the website later on, the temporarily permission to execute JavaScript is still preserved.
This can be solved by closing and re-opening Tor Browser, however, from my understanding New Identity is supposed to handle that?
**Trac**:
**Username**: Yaelhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/27452"New Identity" does not properly clear state of the find bar2022-05-26T01:22:31ZTrac"New Identity" does not properly clear state of the find barI noticed an issue with Tor Browser on macOS which likely affects Tor Browser on other platforms. The issue being that pressing "New Identity" does not properly clear state of the find bar.
**Steps to reproduce:**
1) Open Tor Browser
2)...I noticed an issue with Tor Browser on macOS which likely affects Tor Browser on other platforms. The issue being that pressing "New Identity" does not properly clear state of the find bar.
**Steps to reproduce:**
1) Open Tor Browser
2) Press control-f ("command-f" on macOS) to bring up the find bar
3) Type something into the find bar.
4) Press new identity
5) Press control-f ("command-f" on macOS) again to bring up the find bar. See that the previously searched text remains in the box.
**Tor Browser Alpha:**
Per arma's suggestion on IRC I tested this in Tor Browser Alpha (This build: https://people.torproject.org/~gk/builds/8.0-build5/tor-browser-linux64-8.0_en-US.tar.xz) on Linux. The bug is partially fixed. However if you click "highlight all" after entering text in the search box and then press new identity, press control-f again, the text is cleared, but the "highlight all" state remains.
**User Impact:**
This appears to be an issue resetting state of the find bar. It's unclear whether a website can access this information using Javascript, with or without user interaction. It's also unclear how long this information could persist. This could potentially reveal during a forensic search on a computer the last thing the user searched for on a page, but not what page they searched on.
It is worth investigating for other components which are not properly reset after clicking "New Identity".
**Screenshots:**
* Bug on Tor Browser Stable macOS https://image.ibb.co/bVOLkK/Screen_Shot_2018_09_04_at_8_23_20_PM.png
* Bug on Tor Browser Alpha Linux https://image.ibb.co/fiVSXz/Problem.png
**Trac**:
**Username**: nsuchyhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26880On macOS a list of downloaded files is kept on disk and survives New Identity2022-05-26T01:21:26ZGeorg KoppenOn macOS a list of downloaded files is kept on disk and survives New IdentityOn macOS a list of downloaded files is kept and survives New Identity. It might affect other platforms, too:
```
Mac [...] keeps a list of all the downloaded files. From which app(browser) and which website.
Location:
sqlite3 ~/Library/...On macOS a list of downloaded files is kept and survives New Identity. It might affect other platforms, too:
```
Mac [...] keeps a list of all the downloaded files. From which app(browser) and which website.
Location:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select * from LSQuarantineEvent’
52FA128A-42E1-41E6-A0DD-5A58FB21ED7A|550679062.0|org.torproject.torbrowser|TorBrowser.app|https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSP6KTk9o7luHrlg5CoeGFLiH2RpKwEcywcgdDeVQpciZzytjaafDzkKL0v|||0||https://www.google.com/search?q=snowmountains&tbm=isch&sa=G&gbv=1&sei=h3oiW_DkC8yFgAadrJLQBQ|
```https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26879Disk leak on macOS due to Notification API2022-05-26T01:20:01ZGeorg KoppenDisk leak on macOS due to Notification APIKonark Modi reported a while ago a disk leak at least on macOS due to the Notification API. Here is the bug report:
```
The leak is cause by: https://www.w3.org/TR/notifications/ API.
Steps to reproduce:
1. Visit http://www.bennish.net/...Konark Modi reported a while ago a disk leak at least on macOS due to the Notification API. Here is the bug report:
```
The leak is cause by: https://www.w3.org/TR/notifications/ API.
Steps to reproduce:
1. Visit http://www.bennish.net/web-notifications.html
2. Temporarily allow JS.
3. Click on Authorize button.
4. Click on Show button.
5. Notification should occur.
macOS by default saves these notification in`/private/var/folders/qs/54swlb5d1fx4hq969vdqg4rr0000gn/0/com.apple.notificationcenter/db` . It dumps the content of the notification and the website name.
This location can be found using:
Activity Monitor -> Search for process user noted -> Open files and ports -> Notifications DB.
Now, although the user opted in to these notifications, but this is an intended leak from OS level.
```https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26322Circuit display - UI bug - Long v3 name2022-05-26T01:03:43ZAntonelaantonela@torproject.orgCircuit display - UI bug - Long v3 nameJust found this
https://trac.torproject.org/projects/tor/attachment/ticket/24309/VirtualBox_-linux-test_06_06_2018_20_35_03.png
testing
https://people.torproject.org/~gk/testbuilds/user_testing_antonela2/tor-browser-linux64-tbb-nigh...Just found this
https://trac.torproject.org/projects/tor/attachment/ticket/24309/VirtualBox_-linux-test_06_06_2018_20_35_03.png
testing
https://people.torproject.org/~gk/testbuilds/user_testing_antonela2/tor-browser-linux64-tbb-nightly_en-US.tar.xz
Can we use the v3 address in two lines?
https://trac.torproject.org/projects/tor/attachment/ticket/24309/060618-1.pnghttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26236"myController is null" error when closing the browser2022-05-26T01:11:56ZGeorg Koppen"myController is null" error when closing the browserClosing Tor Browser throws a JavaScript error:
```
May 30 06:17:45.000 [notice] Owning controller connection has closed -- exiting now.
May 30 06:17:45.000 [notice] Catching signal TERM, exiting cleanly.
JavaScript error: chrome://torbut...Closing Tor Browser throws a JavaScript error:
```
May 30 06:17:45.000 [notice] Owning controller connection has closed -- exiting now.
May 30 06:17:45.000 [notice] Catching signal TERM, exiting cleanly.
JavaScript error: chrome://torbutton/content/tor-circuit-display.js, line 466: TypeError: myController is null
```https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26176Display .onion services with "mixed" content in circuit display properly2022-05-18T23:58:26ZGeorg KoppenDisplay .onion services with "mixed" content in circuit display properlyAssume you have an .onion service (say: https://blockchainbdgpzk.onion/) that includes clear-text resources (e.g. an ad iframe like https://bci-ads.blockchain.info/bci-ads/iframe).
What should the circuit display show as the circuit for...Assume you have an .onion service (say: https://blockchainbdgpzk.onion/) that includes clear-text resources (e.g. an ad iframe like https://bci-ads.blockchain.info/bci-ads/iframe).
What should the circuit display show as the circuit for this site? Clearly, the requests for the .onion service (and respective resources) and the the requests semming from the iframe can't go over the same circuit. Thus, there is no way the circuit display can show only one circuit for loading all of the website (as it ideally would).
What is happening right now: the circuit display first shows the .onion circuit. But then when the clearnet requests are issued, the code we have just replaces the first three hops of the .onion circuit with the nodes used for the clearnet resources retaining the other three hops in the display which gives the impression everything is sent over an .onion circuit.
It seems to me this is suboptimal. Better would be not to update the circuit display with the information from the clearnet circuit. But there might be an even better solution we want to deployhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26174Link "Learn More" in circuit display to section in FAQ explaining why Guards ...2021-12-14T15:10:24ZArthur EdelsteinLink "Learn More" in circuit display to section in FAQ explaining why Guards don't changeThe new circuit display implemented in legacy/trac#24309 has a "Learn More" link that currently points to the Manual. But we'd like to change this to point to a location on the new website's FAQ that explains guard behavior in detail.The new circuit display implemented in legacy/trac#24309 has a "Learn More" link that currently points to the Manual. But we'd like to change this to point to a location on the new website's FAQ that explains guard behavior in detail.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26019Allow javascript.options.ion, javascript.options.baselinejit, and javascript....2022-02-03T18:44:40ZcypherpunksAllow javascript.options.ion, javascript.options.baselinejit, and javascript.options.native_regexp at the highest security levelAt the highest security level JavaScript for webpages is disabled, so these features cannot be used for fingerprintina and expluatation. But a large part of the browser is written in JS itself and disabling this features slows the web br...At the highest security level JavaScript for webpages is disabled, so these features cannot be used for fingerprintina and expluatation. But a large part of the browser is written in JS itself and disabling this features slows the web browser down. I suggest to enable them for the highest security mode as a temporary solution and use 2 different settings or store there numbers as bit flags to control these features for frowser GUI and webpages separately, if it is possible.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/25764Improve how circuits are displayed to the user on Android2022-05-18T23:57:11ZAntonelaantonela@torproject.orgImprove how circuits are displayed to the user on AndroidTBA work on parent ticketTBA work on parent tickethttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/25463Learn More link fails to work from add-on preferences2021-07-09T18:33:17ZMark SmithLearn More link fails to work from add-on preferencesThe "Learn More" link within the Torbutton Security Settings does not work (no web page is opened) if Security Settings is opened via the add-on preferences path. This bug is present in Tor Browser 7.5 and newer at least. Steps to reprod...The "Learn More" link within the Torbutton Security Settings does not work (no web page is opened) if Security Settings is opened via the add-on preferences path. This bug is present in Tor Browser 7.5 and newer at least. Steps to reproduce:
1) Start Tor Browser and connect.
2) Open about:addons
3) Click the "Preferences" button for Torbutton.
4) Click "Learn More"
I noticed this bug on macOS.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/25340"Restart the Tor Browser to apply updates" notification disappears with New I...2022-05-18T23:55:50Zcypherpunks"Restart the Tor Browser to apply updates" notification disappears with New Identity, maybe it shouldn't?Imagine there's a new wild 0day of TB going on and you release an update hours after, but some user isn't attentive enough and doesn't notice the notification to update and eventually clicks on New Identity and ends up without the update...Imagine there's a new wild 0day of TB going on and you release an update hours after, but some user isn't attentive enough and doesn't notice the notification to update and eventually clicks on New Identity and ends up without the update taking effect for quiet some time...
(Another alternative could be a forced update that forces a restart, but people won't be happy with that)https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/25134Import strings from all locales in torbutton import-translations.sh2022-05-18T23:55:17ZArthur EdelsteinImport strings from all locales in torbutton import-translations.shI have been looking at how to add more locales to Tor Browser and I noticed that tor-launcher.git and torbutton.git handle translations differently. In tor-launcher, the script `import-translations.sh` imports new strings from all locale...I have been looking at how to add more locales to Tor Browser and I noticed that tor-launcher.git and torbutton.git handle translations differently. In tor-launcher, the script `import-translations.sh` imports new strings from all locales provided by Transifex, not just the ones deploy in Tor Browser. But in torbutton, `import-translations.sh` we are only importing strings from a specific list of locales and ignoring the rest. I would suggest we should change torbutton to import all locales, because then:
* We won't have to keep a list of locales in torbutton sync'd with Tor Browser.
* It will potentially facilitate building a multi-local Tor Browser.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/25082Uploads are not cancelled when a New Identity is requested2022-05-18T23:54:19ZGeorg KoppenUploads are not cancelled when a New Identity is requestedFrom legacy/trac#24421:
```
1. Set High security setting (I was using that one, didn't bother to see if it affects other security settings).
2. Go to the Bezos Washington Post Secure Drop: jcw5q6uyjioupxcc.onion (you can verify it here: ...From legacy/trac#24421:
```
1. Set High security setting (I was using that one, didn't bother to see if it affects other security settings).
2. Go to the Bezos Washington Post Secure Drop: jcw5q6uyjioupxcc.onion (you can verify it here: securedrop.org/directory )
3. Click on "Submit Documents".
4. Click on "Use New Codename".
5. Select some large file (we don't want the upload to finish so we don't waste the journalists' time wasting Bezos' money) like a Tor Browser tar.gz
6. Open your Gnome System Monitor and go to "Resources" and watch the network graph. You should see the upload at its peek values.
7. Close the tab, you can see that the upload is still going.
8. Click on New Identity, again, upload is still going.
9. Close the Tor Browser, upload halts.
It works for clearnet websites as well, you can test with ​https://catbox.moe/ following essentially the same procedure as the last ones above (i.e. 5-9).
```
This issue is observable with Tor Browser 6.5.2 as well.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/25072New Identity does not clear HTTPS Everywhere extension storage2022-05-18T23:52:10ZTracNew Identity does not clear HTTPS Everywhere extension storageWhen "New Identity" button is pressed, the information stored by extensions like HTTPS Everywhere is not cleared.
This might contain information, like domains which the user added as an exception.
Because, this persists on disk and is ...When "New Identity" button is pressed, the information stored by extensions like HTTPS Everywhere is not cleared.
This might contain information, like domains which the user added as an exception.
Because, this persists on disk and is not cleared on Tor shoutdown or manually clicking "New Identity", it leaves traces of users browsing habits.
Steps to reproduce:
1. Visit a website like cnn.com.
2. Click on HTTPS Everywhere Icon, and uncheck CNN.COM.
3. Restart Tor or Click on New Identity,
4. Visit the same site again, the setting is remembered by extension.
Data on disk:
~/Library/Application\ Support/TorBrowser-Data/Browser/profile/browser-extension-data/https-everywhere-eff@eff.org/storage.js:{"ruleActiveStates":{"CNN.com (partial)":false},"migration_version":1}
Ideally, extensions should be careful while saving data to disks. But may be Tor can also clear the storage on New Identity.
**Trac**:
**Username**: kmodihttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/24408New Identity fails to clear unprotected cookies when private browsing mode is...2022-05-18T23:50:56ZTracNew Identity fails to clear unprotected cookies when private browsing mode is disabledEncountered the following:
1. If 'Always use private browsing mode' has been disabled in preferences;
2. And some cookies for **domain A** were marked as _protected_ in Cookie Protections dialog;
3. After clicking _New Identity_
4. Unpr...Encountered the following:
1. If 'Always use private browsing mode' has been disabled in preferences;
2. And some cookies for **domain A** were marked as _protected_ in Cookie Protections dialog;
3. After clicking _New Identity_
4. Unprotected cookies for unrelated _domain B_ are not deleted.
Expected behavior: all cookies except the ones marked as _protected_ (i.e. for **domain A**) should have been deleted.
Using TBB 7.0.10.
**Trac**:
**Username**: theresa