torbutton issueshttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues2022-05-26T01:37:35Zhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/30922Circuit Display not shown in some cases2022-05-26T01:37:35ZAlex CatarineuCircuit Display not shown in some casesTo reproduce:
1. Search something via URL bar or about:tor.
2. When DDG page loads, click to show Circuit Display.
3. Open new browser window.
4. Repeat 1 and 2: Circuit Display is not shown.
This might be related to legacy/trac#30290,...To reproduce:
1. Search something via URL bar or about:tor.
2. When DDG page loads, click to show Circuit Display.
3. Open new browser window.
4. Repeat 1 and 2: Circuit Display is not shown.
This might be related to legacy/trac#30290, but did not investigate yet.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/16936Circuit display should show original circuit for each tab2022-05-18T23:20:55ZArthur EdelsteinCircuit display should show original circuit for each tabInstead of storing circuits per credentials, let's store them per-tab and then display the original circuit for each tab, even if that circuit has since closed and been replaced under the same credentials.Instead of storing circuits per credentials, let's store them per-tab and then display the original circuit for each tab, even if that circuit has since closed and been replaced under the same credentials.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40025Circuit display shows bridge as *middle* hop?2022-12-08T15:15:31ZRoger DingledineCircuit display shows bridge as *middle* hop?pastly points us to a recent reddit thread, where somebody has a screenshot of their Tor Browser circuit display, where the *middle* hop is labeled simply "bridge":<br>
https://old.reddit.com/r/TOR/comments/kt5fkl/i_got_a_bridge_as_my_mi...pastly points us to a recent reddit thread, where somebody has a screenshot of their Tor Browser circuit display, where the *middle* hop is labeled simply "bridge":<br>
https://old.reddit.com/r/TOR/comments/kt5fkl/i_got_a_bridge_as_my_middle_node_is_this_normal/
My first theory is that Tor Browser (Torbutton? Tor Launcher?) is doing a lookup, failing to find something, and has logic to say the word 'bridge' when the lookup fails.
That is, it seems much more likely that the *labeling* is wrong than that Tor somehow stuck a bridge in the middle hop.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/13198clean up torbutton use of Mozilla services2022-03-17T21:00:24ZArthur Edelsteinclean up torbutton use of Mozilla servicesMost of the invocations to `Cc...getService` in the torbutton JS code are unnecessary. Writing a patch to clean it up.Most of the invocations to `Cc...getService` in the torbutton JS code are unnecessary. Writing a patch to clean it up.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/2739Clear Memory-Only Intermeditate Cert Store2022-03-16T22:39:49ZMike PerryClear Memory-Only Intermeditate Cert StoreThe Intermediate Certificate store is not cleared by nsIDOMCrypto::logout() or our old ssl hack. We need to clear this, but we are probably blocked on this Firefox Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=435159 (fixed)The Intermediate Certificate store is not cleared by nsIDOMCrypto::logout() or our old ssl hack. We need to clear this, but we are probably blocked on this Firefox Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=435159 (fixed)Tor Browser: 11.0 Issues with previous releasehttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/32138Clicking the 'new Identity' button in full screen on macOS causes the top and...2022-05-26T01:55:44ZTracClicking the 'new Identity' button in full screen on macOS causes the top and bottom of the browser to show white bars that do not go awayFull-screening TorBrowser then clicking the 'new Identity' button causes tor browser to come out of full screen and the top and bottom of the browser have large white bars.
1. Open TorBrowser 9.0a8 on macOS 10.15 and click the green full...Full-screening TorBrowser then clicking the 'new Identity' button causes tor browser to come out of full screen and the top and bottom of the browser have large white bars.
1. Open TorBrowser 9.0a8 on macOS 10.15 and click the green full screen button.
2. Click the 'new Identity' button and choose to have a new Identity. Image attached showing the white bars.
**Trac**:
**Username**: Dbryrtfbcbhgfhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/31066Consider protection against requests going through catch-all circuit2022-05-26T01:39:57ZAlex CatarineuConsider protection against requests going through catch-all circuitWhile taking a look at upstreaming legacy/trac#26353 to Firefox I was thinking whether it would make sense to have some mitigations to reduce potential anonymity loss if there are requests unintentionally going through the catch-all circ...While taking a look at upstreaming legacy/trac#26353 to Firefox I was thinking whether it would make sense to have some mitigations to reduce potential anonymity loss if there are requests unintentionally going through the catch-all circuit. We currently isolate requests by `originAttributes.firstPartyDomain`. If `originAttributes.firstPartyDomain` is empty, then the request goes to the catch-all circuit (socks username `--unknown--`).
I would suggest changing this and proxying with socks username `--unknown--|||firstPartyDomain(request)` instead, where `firstPartyDomain` is calculated as if the request host was the origin. I think this can only improve user anonymity wrt current behaviour, at the cost of potentially worse network performance (more circuits). But I think there should not be many cases were `firstPartyDomain` is empty, and also not so many `--unknown-- + domain` combinations to make this a performance issue. I think it should be seen just as a mitigation for the potential cases in Tor Browser that might not obey first party isolation.
Not sure if this has already been discussed in the past, but I thought it might be interesting to consider.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/19211Ctrl+Shift+U shortcut on GTK systems does not work with focus on textboxes2022-05-18T23:32:38ZGeorg KoppenCtrl+Shift+U shortcut on GTK systems does not work with focus on textboxeshttps://blog.torproject.org/blog/tor-browser-60-released#comment-183119 reports that our new circuit shortcut is not as universally usable as we thought. :(https://blog.torproject.org/blog/tor-browser-60-released#comment-183119 reports that our new circuit shortcut is not as universally usable as we thought. :(https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/17584Disable bookmark backups (easy fix) (!)2022-05-18T23:21:56ZcypherpunksDisable bookmark backups (easy fix) (!)Tor browser shouldn't backup bookmarks at all and even when bookmarks are deleted, old backups remain in:
/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackupsTor browser shouldn't backup bookmarks at all and even when bookmarks are deleted, old backups remain in:
/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackupshttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26879Disk leak on macOS due to Notification API2022-05-26T01:20:01ZGeorg KoppenDisk leak on macOS due to Notification APIKonark Modi reported a while ago a disk leak at least on macOS due to the Notification API. Here is the bug report:
```
The leak is cause by: https://www.w3.org/TR/notifications/ API.
Steps to reproduce:
1. Visit http://www.bennish.net/...Konark Modi reported a while ago a disk leak at least on macOS due to the Notification API. Here is the bug report:
```
The leak is cause by: https://www.w3.org/TR/notifications/ API.
Steps to reproduce:
1. Visit http://www.bennish.net/web-notifications.html
2. Temporarily allow JS.
3. Click on Authorize button.
4. Click on Show button.
5. Notification should occur.
macOS by default saves these notification in`/private/var/folders/qs/54swlb5d1fx4hq969vdqg4rr0000gn/0/com.apple.notificationcenter/db` . It dumps the content of the notification and the website name.
This location can be found using:
Activity Monitor -> Search for process user noted -> Open files and ports -> Notifications DB.
Now, although the user opted in to these notifications, but this is an intended leak from OS level.
```https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/26176Display .onion services with "mixed" content in circuit display properly2022-05-18T23:58:26ZGeorg KoppenDisplay .onion services with "mixed" content in circuit display properlyAssume you have an .onion service (say: https://blockchainbdgpzk.onion/) that includes clear-text resources (e.g. an ad iframe like https://bci-ads.blockchain.info/bci-ads/iframe).
What should the circuit display show as the circuit for...Assume you have an .onion service (say: https://blockchainbdgpzk.onion/) that includes clear-text resources (e.g. an ad iframe like https://bci-ads.blockchain.info/bci-ads/iframe).
What should the circuit display show as the circuit for this site? Clearly, the requests for the .onion service (and respective resources) and the the requests semming from the iframe can't go over the same circuit. Thus, there is no way the circuit display can show only one circuit for loading all of the website (as it ideally would).
What is happening right now: the circuit display first shows the .onion circuit. But then when the clearnet requests are issued, the code we have just replaces the first three hops of the .onion circuit with the nodes used for the clearnet resources retaining the other three hops in the display which gives the impression everything is sent over an .onion circuit.
It seems to me this is suboptimal. Better would be not to update the circuit display with the information from the clearnet circuit. But there might be an even better solution we want to deployhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/22040DocShell is null for every tab during New Identity on Win 72022-05-18T23:39:50ZcypherpunksDocShell is null for every tab during New Identity on Win 7(As mcs asked)
```
[...] Torbutton WARN: DocShell is null for: https://trac.torproject.org/projects/tor/timeline
```(As mcs asked)
```
[...] Torbutton WARN: DocShell is null for: https://trac.torproject.org/projects/tor/timeline
```https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40030DuckDuckGo redirect to html doesn't work2021-06-03T14:38:53ZHackerNCoderhackerncoder@encryptionin.spaceDuckDuckGo redirect to html doesn't workA few users over at [reddit](https://old.reddit.com/r/TOR/comments/lm8fgr/tor_browser_not_working_for_anyone_else/) have noticed that DuckDuckGo, Startpage and other such sites do not redirect to their non-javascript versions or work sud...A few users over at [reddit](https://old.reddit.com/r/TOR/comments/lm8fgr/tor_browser_not_working_for_anyone_else/) have noticed that DuckDuckGo, Startpage and other such sites do not redirect to their non-javascript versions or work suddenly when using safest security level.
I believe I have narrowed down the problem to the new feature to disallow noscript (the HTML element) in NoScript (the extension). Setting DDG and Startpage to custom and allowing noscript made them work.
Because of how Tor Browser does NoScript options, restarting or changing security level will make the user have to enable the noscript tag again.
I recommend that the noscript tag be added on the safest.Tor Browser: 10.0https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/40038Enable NoScript's unrestricted CSS capability?2021-07-09T18:33:17ZMatthew FinkelEnable NoScript's unrestricted CSS capability?https://blog.torproject.org/comment/291754#comment-291754 suggests we need a similar fix as #40030 for `unrestricted CSS`.https://blog.torproject.org/comment/291754#comment-291754 suggests we need a similar fix as #40030 for `unrestricted CSS`.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/29334Exception when running the garbage collection during new identity2022-05-26T01:30:07ZGeorg KoppenException when running the garbage collection during new identityDuring `New Identity` we run some fancy code to make sure we are really have a clean state after closing and reopening the browser:
```
// Run garbage collection and cycle collection after window is gone.
// This ensures that blob UR...During `New Identity` we run some fancy code to make sure we are really have a clean state after closing and reopening the browser:
```
// Run garbage collection and cycle collection after window is gone.
// This ensures that blob URIs are forgotten.
window.addEventListener("unload", function (event) {
torbutton_log(3, "Initiating New Identity GC pass");
// Clear out potential pending sInterSliceGCTimer:
m_tb_domWindowUtils.runNextCollectorTimer();
// Clear out potential pending sICCTimer:
m_tb_domWindowUtils.runNextCollectorTimer();
// Schedule a garbage collection in 4000-1000ms...
m_tb_domWindowUtils.garbageCollect();
// To ensure the GC runs immediately instead of 4-10s from now, we need
// to poke it at least 11 times.
// We need 5 pokes for GC, 1 poke for the interSliceGC, and 5 pokes for CC.
// See nsJSContext::RunNextCollectorTimer() in
// https://mxr.mozilla.org/mozilla-central/source/dom/base/nsJSEnvironment.cpp#1970.
// XXX: We might want to make our own method for immediate full GC...
for (let poke = 0; poke < 11; poke++) {
m_tb_domWindowUtils.runNextCollectorTimer();
}
// And now, since the GC probably actually ran *after* the CC last time,
// run the whole thing again.
m_tb_domWindowUtils.garbageCollect();
for (let poke = 0; poke < 11; poke++) {
m_tb_domWindowUtils.runNextCollectorTimer();
}
```
That leads to an exception in `chrome://extensions/content/ext-tabs-base.js` in some cases at
```
get frameLoader() {
return this.browser.frameLoader;
```
as it is not guaranteed that `browser` is still a thing during that operation. An example where this occurs is
1) On `about:page` open the link to our newsletter in a new tab
2) Open the browser console
3) Hit `New Identity`
This got reported on our blog https://blog.torproject.org/comment/279507#comment-279507 ff.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/23875Facebook's onion site is a single hop onion, but clicking on the Tor onion ic...2022-05-18T23:45:16ZTracFacebook's onion site is a single hop onion, but clicking on the Tor onion icon shows that it is a 6 hop circuit.Facebook's onion site is a single hop onion, but clicking on the Tor onion icon shows that it is a 6 hop circuit.
Roger Dingledine said at Def Con that facebook uses a single hop, here https://youtu.be/Di7qAVidy1Y?t=2135
1. Go to faceboo...Facebook's onion site is a single hop onion, but clicking on the Tor onion icon shows that it is a 6 hop circuit.
Roger Dingledine said at Def Con that facebook uses a single hop, here https://youtu.be/Di7qAVidy1Y?t=2135
1. Go to facebookcorewwwi.onion
2. click on the onion icon in the upper left and it should show that it is a 6 hop circuit, even though it should show that it is a 4 hop circuit.
Tested on 7.0.6 and 7.5a5.
**Trac**:
**Username**: Dbryrtfbcbhgfhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/34125Fix torbutton proxy api due to change in Firefox 77.2021-07-09T18:33:17ZAlex CatarineuFix torbutton proxy api due to change in Firefox 77.We should fix torbutton code due to the breaking API change in `nsIProtocolProxyFilter` from https://bugzilla.mozilla.org/show_bug.cgi?id=1584797.We should fix torbutton code due to the breaking API change in `nsIProtocolProxyFilter` from https://bugzilla.mozilla.org/show_bug.cgi?id=1584797.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/14089Google Drive/Docs do not work in Tor Browser2022-02-03T18:37:53ZTracGoogle Drive/Docs do not work in Tor Browser## Versions
Tor Browser 4.0.2 (Firefox 31.3.0) on Mac OS 10.9.5
## STR
1. Open new Tor Browser session.
2. Navigate to drive.google.com and log in with a valid Google Account.
## Expected Result
The page loads without errors. I am a...## Versions
Tor Browser 4.0.2 (Firefox 31.3.0) on Mac OS 10.9.5
## STR
1. Open new Tor Browser session.
2. Navigate to drive.google.com and log in with a valid Google Account.
## Expected Result
The page loads without errors. I am able to use the features of Google Drive, such as creating new documents and editing existing documents.
## Actual Result
After the page loads, I see an error message, "There were some problems loading your apps" displayed on the page in a red notification box directly underneath the "Search Drive" input field. After some time elapses, this message changes to "Data load timed out."
Beyond these explicit error messages, the site is generally unusable. It is not possible to create new documents because New > New File doesn't list any file types, as it does in a normal browser. It is not possible to edit existing documents - when double-clicked, there is no "Open" button in the subsequent lightbox view of the document, so the document cannot be opened in Google Docs for editing.
In the Browser Console, I note multiple instances of "[01-02 20:25:10] Torbutton NOTE: Removing 3rd party HTTP auth for url [scrubbed]" which seems related to my activity on Google Drive. As I continue to try to use the site, an increasing amount of these errors are logged.
## Additional notes
I have been able to reproduce these errors with the following configurations:
1. Tor Browser with HTTPS-Everywhere disabled
2. Tor Browser with NoScript disabled
3. Tor Browser with HTTPS-Everywhere and NoScript disabled
I have been //unable// to reproduce the errors from the STR in:
1. Firefox ESR 31.3.0
This suggests that the errors are not due to any of the following:
1. Bugs in the Firefox ESR that Tor is based on
2. Lack of support from Google for the older version of Firefox that Tor Browser is based on
3. HTTPS-Everywhere
4. NoScript
The messages in the Browser Console suggest that TorButton may be involved.
**Trac**:
**Username**: garrettrhttps://gitlab.torproject.org/tpo/applications/torbutton/-/issues/10493History not being deleted in TBB after disabling and enabling Private Browsin...2021-07-23T14:45:51ZMatt PaganHistory not being deleted in TBB after disabling and enabling Private Browsing ModeWhen using the Tor Browser Bundle with a Tor router or transparent torification, browsing history is not being deleted when you request a new identity with Torbutton or when you close the browser and start it again.When using the Tor Browser Bundle with a Tor router or transparent torification, browsing history is not being deleted when you request a new identity with Torbutton or when you close the browser and start it again.https://gitlab.torproject.org/tpo/applications/torbutton/-/issues/32205Implement tor-button changes needed to take advantage of improved bridge info...2022-05-26T02:00:38ZrichardImplement tor-button changes needed to take advantage of improved bridge info query API in torSome changes to tor-button will be needed to properly display the information of user-provided bridges without a fingerprint in the circuit display. Whichever path outlined in legacy/trac#32204 is done, the work needed in Tor Browser is ...Some changes to tor-button will be needed to properly display the information of user-provided bridges without a fingerprint in the circuit display. Whichever path outlined in legacy/trac#32204 is done, the work needed in Tor Browser is a minimal amount of javascript in tor-button.