January 2021 - tbb-commits - lists.torproject.org

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 28125 - Prevent non-Necko network connections
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit 1f1a8c84d40185646f8ee2c8c1826980a78d153c Author: Matthew Finkel <Matthew.Finkel(a)gmail.com> Date: Thu Oct 25 19:17:09 2018 +0000 Bug 28125 - Prevent non-Necko network connections --- .../gecko/media/GeckoMediaDrmBridgeV21.java | 49 +--------------------- .../exoplayer2/upstream/DefaultHttpDataSource.java | 47 ++------------------- 2 files changed, 4 insertions(+), 92 deletions(-) diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java index 3ba59bfd6776..eb57b1013642 100644 --- a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java +++ b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java @@ -488,54 +488,7 @@ public class GeckoMediaDrmBridgeV21 implements GeckoMediaDrm { @Override protected Void doInBackground(final Void... params) { - HttpURLConnection urlConnection = null; - BufferedReader in = null; - try { - URI finalURI = new URI(mURL + "&signedRequest=" + URLEncoder.encode(new String(mDrmRequest), "UTF-8")); - urlConnection = (HttpURLConnection) ProxySelector.openConnectionWithProxy(finalURI); - urlConnection.setRequestMethod("POST"); - if (DEBUG) Log.d(LOGTAG, "Provisioning, posting url =" + finalURI.toString()); - - // Add data - urlConnection.setRequestProperty("Accept", "*/*"); - urlConnection.setRequestProperty("User-Agent", getCDMUserAgent()); - urlConnection.setRequestProperty("Content-Type", "application/json"); - - // Execute HTTP Post Request - urlConnection.connect(); - - int responseCode = urlConnection.getResponseCode(); - if (responseCode == HttpURLConnection.HTTP_OK) { - in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream(), StringUtils.UTF_8)); - String inputLine; - StringBuffer response = new StringBuffer(); - - while ((inputLine = in.readLine()) != null) { - response.append(inputLine); - } - in.close(); - mResponseBody = String.valueOf(response).getBytes(StringUtils.UTF_8); - if (DEBUG) Log.d(LOGTAG, "Provisioning, response received."); - if (mResponseBody != null) Log.d(LOGTAG, "response length=" + mResponseBody.length); - } else { - Log.d(LOGTAG, "Provisioning, server returned HTTP error code :" + responseCode); - } - } catch (IOException e) { - Log.e(LOGTAG, "Got exception during posting provisioning request ...", e); - } catch (URISyntaxException e) { - Log.e(LOGTAG, "Got exception during creating uri ...", e); - } finally { - if (urlConnection != null) { - urlConnection.disconnect(); - } - try { - if (in != null) { - in.close(); - } - } catch (IOException e) { - Log.e(LOGTAG, "Exception during closing in ...", e); - } - } + Log.i(LOGTAG, "This is Tor Browser. Skipping."); return null; } diff --git a/mobile/android/geckoview/src/thirdparty/java/org/mozilla/thirdparty/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java b/mobile/android/geckoview/src/thirdparty/java/org/mozilla/thirdparty/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java index 6e5095b0a4c9..a585e283ed4e 100644 --- a/mobile/android/geckoview/src/thirdparty/java/org/mozilla/thirdparty/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java +++ b/mobile/android/geckoview/src/thirdparty/java/org/mozilla/thirdparty/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java @@ -46,6 +46,7 @@ import java.util.regex.Pattern; import java.util.zip.GZIPInputStream; import org.mozilla.gecko.util.ProxySelector; + /** * An {@link HttpDataSource} that uses Android's {@link HttpURLConnection}. * @@ -516,50 +517,8 @@ public class DefaultHttpDataSource extends BaseDataSource implements HttpDataSou boolean followRedirects, Map<String, String> requestParameters) throws IOException, URISyntaxException { - /** - * Tor Project modified the way the connection object was created. For the sake of - * simplicity, instead of duplicating the whole file we changed the connection object - * to use the ProxySelector. - */ - HttpURLConnection connection = (HttpURLConnection) ProxySelector.openConnectionWithProxy(url.toURI()); - - connection.setConnectTimeout(connectTimeoutMillis); - connection.setReadTimeout(readTimeoutMillis); - - Map<String, String> requestHeaders = new HashMap<>(); - if (defaultRequestProperties != null) { - requestHeaders.putAll(defaultRequestProperties.getSnapshot()); - } - requestHeaders.putAll(requestProperties.getSnapshot()); - requestHeaders.putAll(requestParameters); - - for (Map.Entry<String, String> property : requestHeaders.entrySet()) { - connection.setRequestProperty(property.getKey(), property.getValue()); - } - - if (!(position == 0 && length == C.LENGTH_UNSET)) { - String rangeRequest = "bytes=" + position + "-"; - if (length != C.LENGTH_UNSET) { - rangeRequest += (position + length - 1); - } - connection.setRequestProperty("Range", rangeRequest); - } - connection.setRequestProperty("User-Agent", userAgent); - connection.setRequestProperty("Accept-Encoding", allowGzip ? "gzip" : "identity"); - connection.setInstanceFollowRedirects(followRedirects); - connection.setDoOutput(httpBody != null); - connection.setRequestMethod(DataSpec.getStringForHttpMethod(httpMethod)); - - if (httpBody != null) { - connection.setFixedLengthStreamingMode(httpBody.length); - connection.connect(); - OutputStream os = connection.getOutputStream(); - os.write(httpBody); - os.close(); - } else { - connection.connect(); - } - return connection; + Log.i(TAG, "This is Tor Browser. Skipping."); + throw new IOException(); } /** Creates an {@link HttpURLConnection} that is connected with the {@code url}. */

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 32418: Allow updates to be disabled via an enterprise policy.
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit 949412ba7c272289dbcc6eb4c456af37f70378e2 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Thu Apr 16 17:07:09 2020 -0400 Bug 32418: Allow updates to be disabled via an enterprise policy. Restrict the Enterprise Policies mechanism to only consult a policies.json file (avoiding the Windows Registry and macOS's file system attributes). Add a few disabledByPolicy() checks to the update service to avoid extraneous (and potentially confusing) log messages when updates are disabled by policy. Sample content for distribution/policies.json: { "policies": { "DisableAppUpdate": true } } On Linux, avoid reading policies from /etc/firefox/policies/policies.json --- .../enterprisepolicies/EnterprisePoliciesParent.jsm | 14 ++++++++++++-- toolkit/components/enterprisepolicies/moz.build | 3 +++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm index 8b0a5170cbdd..38e2c2b36a24 100644 --- a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm +++ b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.jsm @@ -4,6 +4,10 @@ var EXPORTED_SYMBOLS = ["EnterprisePoliciesManager"]; +// To ensure that policies intended for Firefox or another browser will not +// be used, Tor Browser only looks for policies in ${InstallDir}/distribution +#define AVOID_SYSTEM_POLICIES MOZ_PROXY_BYPASS_PROTECTION + const { XPCOMUtils } = ChromeUtils.import( "resource://gre/modules/XPCOMUtils.jsm" ); @@ -13,9 +17,11 @@ const { AppConstants } = ChromeUtils.import( ); XPCOMUtils.defineLazyModuleGetters(this, { +#ifndef AVOID_SYSTEM_POLICIES WindowsGPOParser: "resource://gre/modules/policies/WindowsGPOParser.jsm", macOSPoliciesParser: "resource://gre/modules/policies/macOSPoliciesParser.jsm", +#endif Policies: "resource:///modules/policies/Policies.jsm", JsonSchemaValidator: "resource://gre/modules/components-utils/JsonSchemaValidator.jsm", @@ -137,6 +143,7 @@ EnterprisePoliciesManager.prototype = { _chooseProvider() { let provider = null; +#ifndef AVOID_SYSTEM_POLICIES if (AppConstants.platform == "win") { provider = new WindowsGPOPoliciesProvider(); } else if (AppConstants.platform == "macosx") { @@ -145,6 +152,7 @@ EnterprisePoliciesManager.prototype = { if (provider && provider.hasPolicies) { return provider; } +#endif provider = new JSONPoliciesProvider(); if (provider.hasPolicies) { @@ -495,7 +503,7 @@ class JSONPoliciesProvider { _getConfigurationFile() { let configFile = null; - +#ifndef AVOID_SYSTEM_POLICIES if (AppConstants.platform == "linux") { let systemConfigFile = Cc["@mozilla.org/file/local;1"].createInstance( Ci.nsIFile @@ -508,7 +516,7 @@ class JSONPoliciesProvider { return systemConfigFile; } } - +#endif try { let perUserPath = Services.prefs.getBoolPref(PREF_PER_USER_DIR, false); if (perUserPath) { @@ -589,6 +597,7 @@ class JSONPoliciesProvider { } } +#ifndef AVOID_SYSTEM_POLICIES class WindowsGPOPoliciesProvider { constructor() { this._policies = null; @@ -654,3 +663,4 @@ class macOSPoliciesProvider { return this._failed; } } +#endif diff --git a/toolkit/components/enterprisepolicies/moz.build b/toolkit/components/enterprisepolicies/moz.build index 09d2046e1bd7..3f685d3fbbd6 100644 --- a/toolkit/components/enterprisepolicies/moz.build +++ b/toolkit/components/enterprisepolicies/moz.build @@ -19,6 +19,9 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] != "android": EXTRA_JS_MODULES += [ "EnterprisePolicies.jsm", "EnterprisePoliciesContent.jsm", + ] + + EXTRA_PP_JS_MODULES += [ "EnterprisePoliciesParent.jsm", ]

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] fixup! Omnibox: Add DDG, Startpage, Disconnect, Youtube, Twitter; remove Amazon, eBay, bing
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit 5078ee1f284b7dcb0893e76241f28b9c9fc7d3c9 Author: Alex Catarineu <acat(a)torproject.org> Date: Wed Nov 4 21:04:52 2020 +0100 fixup! Omnibox: Add DDG, Startpage, Disconnect, Youtube, Twitter; remove Amazon, eBay, bing --- tbb-tests/browser_tor_omnibox.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tbb-tests/browser_tor_omnibox.js b/tbb-tests/browser_tor_omnibox.js index e18b2a84a3d8..f3efd0c3da5e 100644 --- a/tbb-tests/browser_tor_omnibox.js +++ b/tbb-tests/browser_tor_omnibox.js @@ -1,14 +1,14 @@ // # Test Tor Omnibox // Check what search engines are installed in the search box. -function test() { +add_task(async function() { // Grab engine IDs. let browserSearchService = Components.classes["@mozilla.org/browser/search-service;1"] - .getService(Components.interfaces.nsIBrowserSearchService), - engineIDs = browserSearchService.getEngines().map(e => e.identifier); + .getService(Components.interfaces.nsISearchService), + engineIDs = (await browserSearchService.getEngines()).map(e => e.identifier); // Check that we have the correct engines installed, in the right order. is(engineIDs[0], "ddg", "Default search engine is duckduckgo"); is(engineIDs[1], "youtube", "Secondary search engine is youtube"); is(engineIDs[2], "google", "Google is third search engine"); -} +});

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 33852: Clean up about:logins (LockWise) to avoid mentioning sync, etc.
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit b8244d7c24c68f65cfae524a5b8641fadb32684f Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Tue Jul 14 11:15:07 2020 -0400 Bug 33852: Clean up about:logins (LockWise) to avoid mentioning sync, etc. Hide elements on about:logins that mention sync, "Firefox LockWise", and Mozilla's LockWise mobile apps. Disable the "Create New Login" button when security.nocertdb is true. --- browser/components/aboutlogins/AboutLoginsParent.jsm | 2 ++ browser/components/aboutlogins/content/aboutLogins.css | 8 +++++++- browser/components/aboutlogins/content/aboutLogins.js | 6 ++++++ .../aboutlogins/content/components/fxaccounts-button.css | 5 +++++ .../components/aboutlogins/content/components/menu-button.css | 10 ++++++++++ 5 files changed, 30 insertions(+), 1 deletion(-) diff --git a/browser/components/aboutlogins/AboutLoginsParent.jsm b/browser/components/aboutlogins/AboutLoginsParent.jsm index 5475ba973f3a..e3cc00d9cd2f 100644 --- a/browser/components/aboutlogins/AboutLoginsParent.jsm +++ b/browser/components/aboutlogins/AboutLoginsParent.jsm @@ -62,6 +62,7 @@ const PASSWORD_SYNC_NOTIFICATION_ID = "enable-password-sync"; const SHOW_PASSWORD_SYNC_NOTIFICATION_PREF = "signon.management.page.showPasswordSyncNotification"; +const NOCERTDB_PREF = "security.nocertdb"; // about:logins will always use the privileged content process, // even if it is disabled for other consumers such as about:newtab. @@ -265,6 +266,7 @@ class AboutLoginsParent extends JSWindowActorParent { importVisible: Services.policies.isAllowed("profileImport") && AppConstants.platform != "linux", + canCreateLogins: !Services.prefs.getBoolPref(NOCERTDB_PREF, false), }); await AboutLogins._sendAllLoginRelatedObjects( diff --git a/browser/components/aboutlogins/content/aboutLogins.css b/browser/components/aboutlogins/content/aboutLogins.css index 79d46c336cc9..d3dd02f80b89 100644 --- a/browser/components/aboutlogins/content/aboutLogins.css +++ b/browser/components/aboutlogins/content/aboutLogins.css @@ -69,6 +69,11 @@ login-item { grid-area: login; } +/* Do not promote Mozilla Sync in Tor Browser. */ +login-intro { + display: none !important; +} + #branding-logo { flex-basis: var(--sidebar-width); flex-shrink: 0; @@ -83,7 +88,8 @@ login-item { } } -:root:not(.official-branding) #branding-logo { +/* Hide "Firefox LockWise" branding in Tor Browser. */ +#branding-logo { visibility: hidden; } diff --git a/browser/components/aboutlogins/content/aboutLogins.js b/browser/components/aboutlogins/content/aboutLogins.js index 75c154d328c7..f6670d0d4daa 100644 --- a/browser/components/aboutlogins/content/aboutLogins.js +++ b/browser/components/aboutlogins/content/aboutLogins.js @@ -22,6 +22,9 @@ const gElements = { ".menuitem-remove-all-logins" ); }, + get createNewLoginButton() { + return this.loginList.shadowRoot.querySelector(".create-login-button"); + }, }; let numberOfLogins = 0; @@ -105,6 +108,9 @@ window.addEventListener("AboutLoginsChromeToContent", event => { gElements.loginList.setSortDirection(event.detail.value.selectedSort); document.documentElement.classList.add("initialized"); gElements.loginList.classList.add("initialized"); + if (!event.detail.value.canCreateLogins) { + gElements.createNewLoginButton.disabled = true; + } break; } case "ShowLoginItemError": { diff --git a/browser/components/aboutlogins/content/components/fxaccounts-button.css b/browser/components/aboutlogins/content/components/fxaccounts-button.css index e63192a98e3a..c59eda2dec56 100644 --- a/browser/components/aboutlogins/content/components/fxaccounts-button.css +++ b/browser/components/aboutlogins/content/components/fxaccounts-button.css @@ -8,6 +8,11 @@ align-items: center; } +/* Do not promote Mozilla Sync in Tor Browser. */ +.logged-out-view { + display: none !important; +} + .fxaccounts-extra-text { /* Only show at most 3 lines of text to limit the text from overflowing the header. */ diff --git a/browser/components/aboutlogins/content/components/menu-button.css b/browser/components/aboutlogins/content/components/menu-button.css index 54cafbc98f96..bcf8faeb7b11 100644 --- a/browser/components/aboutlogins/content/components/menu-button.css +++ b/browser/components/aboutlogins/content/components/menu-button.css @@ -85,3 +85,13 @@ .menuitem-preferences { background-image: url("chrome://global/skin/icons/settings.svg"); } + +/* + * Do not promote LockWise mobile apps in Tor Browser: hide the menu items + * and the separator line that precedes them. + */ +.menuitem-mobile-android, +.menuitem-mobile-ios, +button[data-event-name="AboutLoginsGetHelp"] + hr { + display: none !important; +}

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] fixup! Bug 12620: TorBrowser regression tests
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit ec7d62efc2713711c2a0a44ad850297dbb8f68c1 Author: Alex Catarineu <acat(a)torproject.org> Date: Wed Nov 4 20:55:03 2020 +0100 fixup! Bug 12620: TorBrowser regression tests --- tbb-tests/browser_tor_TB4.js | 141 +++---------------------------------------- 1 file changed, 8 insertions(+), 133 deletions(-) diff --git a/tbb-tests/browser_tor_TB4.js b/tbb-tests/browser_tor_TB4.js index af688bee0226..f08d086e3815 100644 --- a/tbb-tests/browser_tor_TB4.js +++ b/tbb-tests/browser_tor_TB4.js @@ -3,151 +3,26 @@ // decides if it is set as expected. // TODO: Write unit tests to check that each pref setting here -// causes the browser to have the desired behavior (a big task). +// causes the browser to have the desired behavior (a big task). function test() { let expectedPrefs = [ - // Disable browser auto updaters and associated homepage notifications - ["app.update.auto", false], - ["app.update.enabled", false], - ["browser.search.update", false], - ["browser.rights.3.shown", true], - ["browser.startup.homepage_override.mstone", "ignore"], - ["startup.homepage_welcome_url", ""], - ["startup.homepage_override_url", ""], + // Homepage + ["browser.startup.homepage", "about:tor"], // Disable the "Refresh" prompt that is displayed for stale profiles. ["browser.disableResetPrompt", true], - // Disk activity: Disable Browsing History Storage - ["browser.privatebrowsing.autostart", true], - ["browser.cache.disk.enable", false], - ["browser.cache.offline.enable", false], - ["dom.indexedDB.enabled", false], - ["permissions.memory_only", true], - ["network.cookie.lifetimePolicy", 2], - ["security.nocertdb", true], - - // Disk activity: TBB Directory Isolation - ["browser.download.useDownloadDir", false], - ["browser.shell.checkDefaultBrowser", false], - ["browser.download.manager.addToRecentDocs", false], - - // Misc privacy: Disk - ["signon.rememberSignons", false], - ["browser.formfill.enable", false], - ["signon.autofillForms", false], - ["browser.sessionstore.privacy_level", 2], - ["media.cache_size", 0], - - // Misc privacy: Remote - ["browser.send_pings", false], - ["geo.enabled", false], - ["geo.wifi.uri", ""], - ["browser.search.suggest.enabled", false], - ["browser.safebrowsing.malware.enabled", false], - ["extensions.ui.lastCategory", "addons://list/extension"], - ["datareporting.healthreport.uploadEnabled", false], - ["datareporting.policy.dataSubmissionEnabled", false], - ["security.mixed_content.block_active_content", false], // Disable until https://bugzilla.mozilla.org/show_bug.cgi?id=878890 is patched - ["browser.syncPromoViewsLeftMap", "{\"addons\":0, \"passwords\":0, \"bookmarks\":0}"], // Don't promote sync - ["services.sync.engine.prefs", false], // Never sync prefs, addons, or tabs with other browsers - ["services.sync.engine.addons", false], - ["services.sync.engine.tabs", false], - ["extensions.getAddons.cache.enabled", false], // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ - - // Fingerprinting - ["webgl.min_capability_mode", true], - ["webgl.disable-extensions", true], - ["dom.battery.enabled", false], // fingerprinting due to differing OS implementations - ["browser.display.max_font_attempts",10], - ["browser.display.max_font_count",10], - ["gfx.downloadable_fonts.fallback_delay", -1], - ["browser.startup.homepage_override.buildID", "20100101"], - - // Third party stuff - ["network.cookie.cookieBehavior", 1], - ["security.enable_tls_session_tickets", false], - ["network.http.spdy.enabled", false], // Stores state and may have keepalive issues (both fixable) - ["network.http.spdy.enabled.v2", false], // Seems redundant, but just in case - ["network.http.spdy.enabled.v3", false], // Seems redundant, but just in case - - // Proxy and proxy security - ["network.proxy.socks", "127.0.0.1"], - ["network.proxy.socks_port", 9150], - ["network.proxy.socks_remote_dns", true], - ["network.proxy.no_proxies_on", ""], // For fingerprinting and local service vulns (#10419) - ["network.proxy.type", 1], - ["network.security.ports.banned", "9050,9051,9150,9151"], - ["network.dns.disablePrefetch", true], - ["network.protocol-handler.external-default", false], - ["network.protocol-handler.external.mailto", false], - ["network.protocol-handler.external.news", false], - ["network.protocol-handler.external.nntp", false], - ["network.protocol-handler.external.snews", false], - ["network.protocol-handler.warn-external.mailto", true], - ["network.protocol-handler.warn-external.news", true], - ["network.protocol-handler.warn-external.nntp", true], - ["network.protocol-handler.warn-external.snews", true], - - // Network and performance - ["network.http.pipelining", true], - ["network.http.pipelining.aggressive", true], - ["network.http.pipelining.maxrequests", 12], - ["network.http.pipelining.ssl", true], - ["network.http.proxy.pipelining", true], - ["security.ssl.enable_false_start", true], - ["network.http.keep-alive.timeout", 20], - ["network.http.connection-retry-timeout", 0], - ["network.http.max-persistent-connections-per-proxy", 256], - ["network.http.pipelining.reschedule-timeout", 15000], - ["network.http.pipelining.read-timeout", 60000], - // Hacked pref: Now means "Attempt to pipeline at least this many requests together" - ["network.http.pipelining.max-optimistic-requests", 3], - ["security.disable_session_identifiers", true], - - // Extension support - ["extensions.autoDisableScopes", 0], - ["extensions.bootstrappedAddons", "{}"], - ["extensions.checkCompatibility.4.*", false], - ["extensions.databaseSchema", 3], - ["extensions.enabledAddons", "https-everywhere%40eff.org:3.1.4,%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.6.1,torbutton%40torproject.org:1.5.2,ubufox%40ubuntu.com:2.6,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.5"], - ["extensions.enabledItems", "langpack-en-US@firefox.mozilla.org:,{73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.57,{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.2.4,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.8"], - ["extensions.enabledScopes", 1], - ["extensions.pendingOperations", false], - ["xpinstall.whitelist.add", ""], - ["xpinstall.whitelist.add.36", ""], - - // Omnibox settings - ["keyword.URL", "https://startpage.com/do/search?q="], - - // Hacks/workarounds: Direct2D seems to crash w/ lots of video cards w/ MinGW? - // Nvida cards also experience crashes without the second pref set to disabled - ["gfx.direct2d.disabled", true], - ["layers.acceleration.disabled", true], - - // Security enhancements - // https://trac.torproject.org/projects/tor/ticket/9387#comment:17 - ["javascript.options.ion.content", false], - ["javascript.options.baselinejit.content", false], - ["javascript.options.asmjs", false], - ["javascript.options.typeinference", false], - - // Enable TLS 1.1 and 1.2: - // https://trac.torproject.org/projects/tor/ticket/11253 - ["security.tls.version.max", 3], - // Version placeholder - ["torbrowser.version", "UNKNOWN"], - + ["torbrowser.version", "dev-build"], ]; let getPref = function (prefName) { - let type = gPrefService.getPrefType(prefName); - if (type === gPrefService.PREF_INT) return gPrefService.getIntPref(prefName); - if (type === gPrefService.PREF_BOOL) return gPrefService.getBoolPref(prefName); - if (type === gPrefService.PREF_STRING) return gPrefService.getCharPref(prefName); + let type = Services.prefs.getPrefType(prefName); + if (type === Services.prefs.PREF_INT) return Services.prefs.getIntPref(prefName); + if (type === Services.prefs.PREF_BOOL) return Services.prefs.getBoolPref(prefName); + if (type === Services.prefs.PREF_STRING) return Services.prefs.getCharPref(prefName); // Something went wrong. throw new Error("Can't access pref " + prefName); };

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 40002: Remove about:ion
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit dbf2115e758fec2e685813fa4341ec2ebca2cce0 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Fri Aug 14 09:06:33 2020 -0400 Bug 40002: Remove about:ion Firefox Ion (previously Firefox Pioneer) is an opt-in program in which people volunteer to participate in studies that collect detailed, sensitive data about how they use their browser. --- browser/components/about/AboutRedirector.cpp | 2 -- browser/components/about/components.conf | 1 - 2 files changed, 3 deletions(-) diff --git a/browser/components/about/AboutRedirector.cpp b/browser/components/about/AboutRedirector.cpp index cdb84d4ed9cd..27c5b687c0d2 100644 --- a/browser/components/about/AboutRedirector.cpp +++ b/browser/components/about/AboutRedirector.cpp @@ -114,8 +114,6 @@ static const RedirEntry kRedirMap[] = { nsIAboutModule::URI_MUST_LOAD_IN_CHILD | nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT | nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::HIDE_FROM_ABOUTABOUT}, - {"ion", "chrome://browser/content/ion.html", - nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::HIDE_FROM_ABOUTABOUT}, #ifdef TOR_BROWSER_UPDATE {"tbupdate", "chrome://browser/content/abouttbupdate/aboutTBUpdate.xhtml", nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT | diff --git a/browser/components/about/components.conf b/browser/components/about/components.conf index 290fce3feed9..8e04467c05da 100644 --- a/browser/components/about/components.conf +++ b/browser/components/about/components.conf @@ -14,7 +14,6 @@ pages = [ 'logins', 'newinstall', 'newtab', - 'ion', 'pocket-saved', 'pocket-signup', 'policies',

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 40073: Disable remote Public Suffix List fetching
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit 2936663ba5cb7b37d1dbf5d8d4285ad8dbbefb95 Author: Alex Catarineu <acat(a)torproject.org> Date: Thu Aug 13 11:05:03 2020 +0200 Bug 40073: Disable remote Public Suffix List fetching In https://bugzilla.mozilla.org/show_bug.cgi?id=1563246 Firefox implemented fetching the Public Suffix List via RemoteSettings and replacing the default one at runtime, which we do not want. --- browser/components/BrowserGlue.jsm | 5 ----- 1 file changed, 5 deletions(-) diff --git a/browser/components/BrowserGlue.jsm b/browser/components/BrowserGlue.jsm index a06f8d7885a2..f18193694cb3 100644 --- a/browser/components/BrowserGlue.jsm +++ b/browser/components/BrowserGlue.jsm @@ -65,7 +65,6 @@ XPCOMUtils.defineLazyModuleGetters(this, { PluralForm: "resource://gre/modules/PluralForm.jsm", PrivateBrowsingUtils: "resource://gre/modules/PrivateBrowsingUtils.jsm", ProcessHangMonitor: "resource:///modules/ProcessHangMonitor.jsm", - PublicSuffixList: "resource://gre/modules/netwerk-dns/PublicSuffixList.jsm", RemoteSettings: "resource://services-settings/remote-settings.js", RemoteSecuritySettings: "resource://gre/modules/psm/RemoteSecuritySettings.jsm", @@ -2748,10 +2747,6 @@ BrowserGlue.prototype = { this._addBreachesSyncHandler(); }, - () => { - PublicSuffixList.init(); - }, - () => { RemoteSecuritySettings.init(); },

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit a5801b7d04aa64a793078ff64f2a0da3b32a7e08 Author: Alex Catarineu <acat(a)torproject.org> Date: Fri Oct 9 12:55:35 2020 +0200 Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots --- browser/app/profile/000-tor-browser.js | 3 +++ browser/components/BrowserGlue.jsm | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js index d7c7d366b24d..19991a801fcd 100644 --- a/browser/app/profile/000-tor-browser.js +++ b/browser/app/profile/000-tor-browser.js @@ -313,6 +313,9 @@ pref("security.enterprise_roots.enabled", false); // Don't ping Mozilla for MitM detection, see bug 32321 pref("security.certerrors.mitm.priming.enabled", false); +// Don't automatically enable enterprise roots, see bug 40166 +pref("security.certerrors.mitm.auto_enable_enterprise_roots", false); + // Disable the language pack signing check for now on macOS, see #31942 #ifdef XP_MACOSX pref("extensions.langpacks.signatures.required", false); diff --git a/browser/components/BrowserGlue.jsm b/browser/components/BrowserGlue.jsm index 9891d105384a..f6cdee350bea 100644 --- a/browser/components/BrowserGlue.jsm +++ b/browser/components/BrowserGlue.jsm @@ -1346,6 +1346,20 @@ BrowserGlue.prototype = { // handle any UI migration this._migrateUI(); + // Clear possibly auto enabled enterprise_roots prefs (see bug 40166) + if ( + !Services.prefs.getBoolPref( + "security.certerrors.mitm.auto_enable_enterprise_roots" + ) && + Services.prefs.getBoolPref( + "security.enterprise_roots.auto-enabled", + false + ) + ) { + Services.prefs.clearUserPref("security.enterprise_roots.enabled"); + Services.prefs.clearUserPref("security.enterprise_roots.auto-enabled"); + } + if (!Services.prefs.prefHasUserValue(PREF_PDFJS_ISDEFAULT_CACHE_STATE)) { PdfJs.checkIsDefault(this._isNewProfile); }

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] Bug 40025: Remove Mozilla add-on install permissions
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit d1f03236a1ec04d8295c2b155430945559245ff1 Author: Alex Catarineu <acat(a)torproject.org> Date: Mon Jul 27 18:12:55 2020 +0200 Bug 40025: Remove Mozilla add-on install permissions --- browser/app/permissions | 5 ----- 1 file changed, 5 deletions(-) diff --git a/browser/app/permissions b/browser/app/permissions index 4938bd1e22e5..5c4c302f5ba5 100644 --- a/browser/app/permissions +++ b/browser/app/permissions @@ -11,11 +11,6 @@ origin uitour 1 https://3g2upl4pq6kufc4m.onion origin uitour 1 about:tor -# XPInstall -origin install 1 https://addons.mozilla.org - # Remote troubleshooting origin remote-troubleshooting 1 https://support.mozilla.org -# addon install -origin install 1 https://fpn.firefox.com

1 0

[tor-browser/tor-browser-85.0b1-10.5-1] squash! Bug 32658: Create a new MAR signing key
by gk＠torproject.org 12 Jan '21

12 Jan '21

commit 669c2ef3821dd231727c2aaede6eee799ecdb0e7 Author: Georg Koppen <gk(a)torproject.org> Date: Sat Dec 5 21:52:16 2020 +0000 squash! Bug 32658: Create a new MAR signing key Bug 33803: Move our primary nightly MAR signing key to tor-browser Bug 33803: Add a secondary nightly MAR signing key --- .../update/updater/nightly_aurora_level3_primary.der | Bin 1225 -> 1245 bytes .../updater/nightly_aurora_level3_secondary.der | Bin 1225 -> 1245 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/toolkit/mozapps/update/updater/nightly_aurora_level3_primary.der b/toolkit/mozapps/update/updater/nightly_aurora_level3_primary.der index 44fd95dcff89..a3a3077cc574 100644 Binary files a/toolkit/mozapps/update/updater/nightly_aurora_level3_primary.der and b/toolkit/mozapps/update/updater/nightly_aurora_level3_primary.der differ diff --git a/toolkit/mozapps/update/updater/nightly_aurora_level3_secondary.der b/toolkit/mozapps/update/updater/nightly_aurora_level3_secondary.der index 90f8e6e82c63..d579cf801e1a 100644 Binary files a/toolkit/mozapps/update/updater/nightly_aurora_level3_secondary.der and b/toolkit/mozapps/update/updater/nightly_aurora_level3_secondary.der differ

1 0