February 2025 - tbb-commits - lists.torproject.org

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-115.21.0esr-13.5-1-build1
by ma1 (＠ma1) 27 Feb '25

27 Feb '25

ma1 pushed new tag tor-browser-115.21.0esr-13.5-1-build1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new branch tor-browser-128.8.0esr-14.5-1
by clairehurst (＠clairehurst) 27 Feb '25

27 Feb '25

clairehurst pushed new branch tor-browser-128.8.0esr-14.5-1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-128.8.0esr-14.5-1] 49 commits: No bug - Tagging f3783ad20bf40a11fb4b7ed088236c1a9f7be362 with...
by clairehurst (＠clairehurst) 27 Feb '25

27 Feb '25

clairehurst pushed to branch base-browser-128.8.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: 1e0489eb by Mozilla Releng Treescript at 2025-01-27T19:42:42+00:00 No bug - Tagging f3783ad20bf40a11fb4b7ed088236c1a9f7be362 with FIREFOX_128_7_0esr_BUILD1 a=release CLOSED TREE DONTBUILD - - - - - 7a2dc51e by Mozilla Releng Treescript at 2025-02-03T16:18:10+00:00 Update configs. IGNORE BROKEN CHANGESETS CLOSED TREE NO BUG a=release ba=release - - - - - f89561a1 by Mozilla … [View More]

1 0

[Git][tpo/applications/tor-browser] Pushed new branch base-browser-128.8.0esr-14.5-1
by clairehurst (＠clairehurst) 27 Feb '25

27 Feb '25

clairehurst pushed new branch base-browser-128.8.0esr-14.5-1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/base-brow… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-115.21.0esr-13.5-1] 221 commits: Bug 1644383 - add mutexs to avoid data race. r=media-playback-reviewers,padenot
by ma1 (＠ma1) 27 Feb '25

27 Feb '25

ma1 pushed to branch tor-browser-115.21.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: db3112bd by alwu at 2025-02-27T13:06:47+01:00 Bug 1644383 - add mutexs to avoid data race. r=media-playback-reviewers,padenot Differential Revision: https://phabricator.services.mozilla.com/D206943 - - - - - 68f1b26e by Edgar Chen at 2025-02-27T13:06:53+01:00 Bug 1743329 - Handle ESC key to release pointer lock in parent process; r=smaug Differential Revision: https://phabricator.… [View More]

1 0

[Git][tpo/applications/mullvad-browser][mullvad-browser-128.8.0esr-14.0-1] Bug 1910593 - Don't prefetch HTTPS RR if proxyDNS is enabled, r=necko-reviewers,valentin
by Pier Angelo Vendrame (＠pierov) 27 Feb '25

27 Feb '25

Pier Angelo Vendrame pushed to branch mullvad-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Mullvad Browser Commits: cd9cd4ed by Kershaw Chang at 2025-02-27T16:08:04+01:00 Bug 1910593 - Don't prefetch HTTPS RR if proxyDNS is enabled, r=necko-reviewers,valentin Differential Revision: https://phabricator.services.mozilla.com/D219528 - - - - - 15 changed files: - dom/chrome-webidl/NetDashboard.webidl - netwerk/base/Dashboard.cpp - netwerk/base/DashboardTypes.h - netwerk/dns/… [View More]nsHostResolver.cpp - netwerk/protocol/http/nsHttp.cpp - netwerk/protocol/http/nsHttp.h - netwerk/protocol/http/nsHttpChannel.cpp - netwerk/protocol/http/nsHttpChannel.h - netwerk/protocol/http/nsHttpConnectionInfo.h - netwerk/protocol/http/nsHttpConnectionMgr.cpp - netwerk/protocol/http/nsHttpHandler.cpp - netwerk/protocol/http/nsHttpHandler.h - + netwerk/test/unit/test_proxyDNS_leak.js - netwerk/test/unit/xpcshell.toml - toolkit/content/aboutNetworking.js Changes: ===================================== dom/chrome-webidl/NetDashboard.webidl ===================================== @@ -68,6 +68,7 @@ dictionary DnsCacheEntry { boolean trr = false; DOMString originAttributesSuffix = ""; DOMString flags = ""; + unsigned short type = 0; }; [GenerateConversionToJS] ===================================== netwerk/base/Dashboard.cpp ===================================== @@ -906,10 +906,13 @@ nsresult Dashboard::GetDNSCacheEntries(DnsData* dnsData) { CopyASCIItoUTF16(dnsData->mData[i].hostaddr[j], *addr); } - if (dnsData->mData[i].family == PR_AF_INET6) { - entry.mFamily.AssignLiteral(u"ipv6"); - } else { - entry.mFamily.AssignLiteral(u"ipv4"); + entry.mType = dnsData->mData[i].resolveType; + if (entry.mType == nsIDNSService::RESOLVE_TYPE_DEFAULT) { + if (dnsData->mData[i].family == PR_AF_INET6) { + entry.mFamily.AssignLiteral(u"ipv6"); + } else { + entry.mFamily.AssignLiteral(u"ipv4"); + } } entry.mOriginAttributesSuffix = ===================================== netwerk/base/DashboardTypes.h ===================================== @@ -35,12 +35,12 @@ struct DnsAndConnectSockets { struct DNSCacheEntries { nsCString hostname; nsTArray<nsCString> hostaddr; - uint16_t family; - int64_t expiration; - nsCString netInterface; - bool TRR; + uint16_t family{0}; + int64_t expiration{0}; + bool TRR{false}; nsCString originAttributesSuffix; nsCString flags; + uint16_t resolveType{0}; }; struct HttpConnInfo { @@ -99,8 +99,10 @@ struct ParamTraits<mozilla::net::DNSCacheEntries> { WriteParam(aWriter, aParam.hostaddr); WriteParam(aWriter, aParam.family); WriteParam(aWriter, aParam.expiration); - WriteParam(aWriter, aParam.netInterface); WriteParam(aWriter, aParam.TRR); + WriteParam(aWriter, aParam.originAttributesSuffix); + WriteParam(aWriter, aParam.flags); + WriteParam(aWriter, aParam.resolveType); } static bool Read(MessageReader* aReader, paramType* aResult) { @@ -108,8 +110,10 @@ struct ParamTraits<mozilla::net::DNSCacheEntries> { ReadParam(aReader, &aResult->hostaddr) && ReadParam(aReader, &aResult->family) && ReadParam(aReader, &aResult->expiration) && - ReadParam(aReader, &aResult->netInterface) && - ReadParam(aReader, &aResult->TRR); + ReadParam(aReader, &aResult->TRR) && + ReadParam(aReader, &aResult->originAttributesSuffix) && + ReadParam(aReader, &aResult->flags) && + ReadParam(aReader, &aResult->resolveType); } }; ===================================== netwerk/dns/nsHostResolver.cpp ===================================== @@ -1986,20 +1986,13 @@ void nsHostResolver::GetDNSCacheEntries(nsTArray<DNSCacheEntries>* args) { continue; } - // For now we only show A/AAAA records. - if (!rec->IsAddrRecord()) { - continue; - } - - RefPtr<AddrHostRecord> addrRec = do_QueryObject(rec); - MOZ_ASSERT(addrRec); - if (!addrRec || !addrRec->addr_info) { - continue; - } - DNSCacheEntries info; + info.resolveType = rec->type; info.hostname = rec->host; info.family = rec->af; + if (rec->mValidEnd.IsNull()) { + continue; + } info.expiration = (int64_t)(rec->mValidEnd - TimeStamp::NowLoRes()).ToSeconds(); if (info.expiration <= 0) { @@ -2007,7 +2000,13 @@ void nsHostResolver::GetDNSCacheEntries(nsTArray<DNSCacheEntries>* args) { continue; } - { + info.originAttributesSuffix = recordEntry.GetKey().originSuffix; + info.flags = nsPrintfCString("%u|0x%x|%u|%d|%s", rec->type, + static_cast<uint32_t>(rec->flags), rec->af, + rec->pb, rec->mTrrServer.get()); + + RefPtr<AddrHostRecord> addrRec = do_QueryObject(rec); + if (addrRec && addrRec->addr_info) { MutexAutoLock lock(addrRec->addr_info_lock); for (const auto& addr : addrRec->addr_info->Addresses()) { char buf[kIPv6CStrBufSize]; @@ -2018,11 +2017,6 @@ void nsHostResolver::GetDNSCacheEntries(nsTArray<DNSCacheEntries>* args) { info.TRR = addrRec->addr_info->IsTRR(); } - info.originAttributesSuffix = recordEntry.GetKey().originSuffix; - info.flags = nsPrintfCString("%u|0x%x|%u|%d|%s", rec->type, - static_cast<uint32_t>(rec->flags), rec->af, - rec->pb, rec->mTrrServer.get()); - args->AppendElement(std::move(info)); } } ===================================== netwerk/protocol/http/nsHttp.cpp ===================================== @@ -35,6 +35,8 @@ namespace mozilla { namespace net { +extern const char kProxyType_SOCKS[]; + const uint32_t kHttp3VersionCount = 5; const nsCString kHttp3Versions[] = {"h3-29"_ns, "h3-30"_ns, "h3-31"_ns, "h3-32"_ns, "h3"_ns}; @@ -1165,5 +1167,19 @@ void DisallowHTTPSRR(uint32_t& aCaps) { aCaps = (aCaps | NS_HTTP_DISALLOW_HTTPS_RR) & ~NS_HTTP_FORCE_WAIT_HTTP_RR; } +ProxyDNSStrategy GetProxyDNSStrategyHelper(const char* aType, uint32_t aFlag) { + if (!aType) { + return ProxyDNSStrategy::ORIGIN; + } + + if (!(aFlag & nsIProxyInfo::TRANSPARENT_PROXY_RESOLVES_HOST)) { + if (aType == kProxyType_SOCKS) { + return ProxyDNSStrategy::ORIGIN; + } + } + + return ProxyDNSStrategy::PROXY; +} + } // namespace net } // namespace mozilla ===================================== netwerk/protocol/http/nsHttp.h ===================================== @@ -527,6 +527,16 @@ bool PossibleZeroRTTRetryError(nsresult aReason); void DisallowHTTPSRR(uint32_t& aCaps); +enum class ProxyDNSStrategy : uint8_t { + // To resolve the origin of the end server we are connecting + // to. + ORIGIN = 1 << 0, + // To resolve the host name of the proxy. + PROXY = 1 << 1 +}; + +ProxyDNSStrategy GetProxyDNSStrategyHelper(const char* aType, uint32_t aFlag); + } // namespace net } // namespace mozilla ===================================== netwerk/protocol/http/nsHttpChannel.cpp ===================================== @@ -759,6 +759,10 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, } auto shouldSkipUpgradeWithHTTPSRR = [&]() -> bool { + if (mCaps & NS_HTTP_DISALLOW_HTTPS_RR) { + return true; + } + // Skip using HTTPS RR to upgrade when this is not a top-level load and the // loading principal is http. if ((mLoadInfo->GetExternalContentPolicyType() != @@ -781,6 +785,11 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, return true; } + auto dnsStrategy = GetProxyDNSStrategy(); + if (dnsStrategy != ProxyDNSStrategy::ORIGIN) { + return true; + } + nsAutoCString uriHost; mURI->GetAsciiHost(uriHost); @@ -805,11 +814,6 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, return ContinueOnBeforeConnect(hasHTTPSRR, aStatus, hasHTTPSRR); } - auto dnsStrategy = GetProxyDNSStrategy(); - if (!(dnsStrategy & DNS_PREFETCH_ORIGIN)) { - return ContinueOnBeforeConnect(aShouldUpgrade, aStatus); - } - LOG(("nsHttpChannel::MaybeUseHTTPSRRForUpgrade [%p] wait for HTTPS RR", this)); @@ -1215,13 +1219,13 @@ void nsHttpChannel::SpeculativeConnect() { NS_NewNotificationCallbacksAggregation(mCallbacks, mLoadGroup, getter_AddRefs(callbacks)); if (!callbacks) return; - - Unused << gHttpHandler->SpeculativeConnect( + bool httpsRRAllowed = !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR); + Unused << gHttpHandler->MaybeSpeculativeConnectWithHTTPSRR( mConnectionInfo, callbacks, mCaps & (NS_HTTP_DISALLOW_SPDY | NS_HTTP_TRR_MODE_MASK | NS_HTTP_DISABLE_IPV4 | NS_HTTP_DISABLE_IPV6 | NS_HTTP_DISALLOW_HTTP3 | NS_HTTP_REFRESH_DNS), - gHttpHandler->EchConfigEnabled()); + gHttpHandler->EchConfigEnabled() && httpsRRAllowed); } void nsHttpChannel::DoNotifyListenerCleanup() { @@ -6537,27 +6541,16 @@ nsHttpChannel::GetOrCreateChannelClassifier() { return classifier.forget(); } -uint16_t nsHttpChannel::GetProxyDNSStrategy() { - // This function currently only supports returning DNS_PREFETCH_ORIGIN. - // Support for the rest of the DNS_* flags will be added later. - - if (!mProxyInfo) { - return DNS_PREFETCH_ORIGIN; +ProxyDNSStrategy nsHttpChannel::GetProxyDNSStrategy() { + // When network_dns_force_use_https_rr is true, return DNS_PREFETCH_ORIGIN. + // This ensures that we always perform HTTPS RR query. + nsCOMPtr<nsProxyInfo> proxyInfo(static_cast<nsProxyInfo*>(mProxyInfo.get())); + if (!proxyInfo || StaticPrefs::network_dns_force_use_https_rr()) { + return ProxyDNSStrategy::ORIGIN; } - uint32_t flags = 0; - nsAutoCString type; - mProxyInfo->GetFlags(&flags); - mProxyInfo->GetType(type); - // If the proxy is not to perform name resolution itself. - if (!(flags & nsIProxyInfo::TRANSPARENT_PROXY_RESOLVES_HOST)) { - if (type.EqualsLiteral("socks")) { - return DNS_PREFETCH_ORIGIN; - } - } - - return 0; + return GetProxyDNSStrategyHelper(proxyInfo->Type(), proxyInfo->Flags()); } // BeginConnect() SHOULD NOT call AsyncAbort(). AsyncAbort will be called by @@ -6743,11 +6736,13 @@ nsresult nsHttpChannel::BeginConnect() { } bool trrEnabled = false; + auto dnsStrategy = GetProxyDNSStrategy(); bool httpsRRAllowed = !LoadBeConservative() && !(mCaps & NS_HTTP_BE_CONSERVATIVE) && !(mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() && mLoadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT) && + dnsStrategy == ProxyDNSStrategy::ORIGIN && !mConnectionInfo->UsingConnect() && canUseHTTPSRRonNetwork(trrEnabled) && StaticPrefs::network_dns_use_https_rr_as_altsvc(); if (!httpsRRAllowed) { @@ -6858,16 +6853,7 @@ nsresult nsHttpChannel::BeginConnect() { ReEvaluateReferrerAfterTrackingStatusIsKnown(); } - rv = MaybeStartDNSPrefetch(); - if (NS_FAILED(rv)) { - auto dnsStrategy = GetProxyDNSStrategy(); - if (dnsStrategy & DNS_BLOCK_ON_ORIGIN_RESOLVE) { - // TODO: Should this be fatal? - return rv; - } - // Otherwise this shouldn't be fatal. - return NS_OK; - } + MaybeStartDNSPrefetch(); rv = CallOrWaitForResume( [](nsHttpChannel* self) { return self->PrepareToConnect(); }); @@ -6887,7 +6873,7 @@ nsresult nsHttpChannel::BeginConnect() { return NS_OK; } -nsresult nsHttpChannel::MaybeStartDNSPrefetch() { +void nsHttpChannel::MaybeStartDNSPrefetch() { // Start a DNS lookup very early in case the real open is queued the DNS can // happen in parallel. Do not do so in the presence of an HTTP proxy as // all lookups other than for the proxy itself are done by the proxy. @@ -6903,7 +6889,7 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { // timing we used. if ((mLoadFlags & (LOAD_NO_NETWORK_IO | LOAD_ONLY_FROM_CACHE)) || LoadAuthRedirectedChannel()) { - return NS_OK; + return; } auto dnsStrategy = GetProxyDNSStrategy(); @@ -6911,10 +6897,10 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { LOG( ("nsHttpChannel::MaybeStartDNSPrefetch [this=%p, strategy=%u] " "prefetching%s\n", - this, dnsStrategy, + this, static_cast<uint32_t>(dnsStrategy), mCaps & NS_HTTP_REFRESH_DNS ? ", refresh requested" : "")); - if (dnsStrategy & DNS_PREFETCH_ORIGIN) { + if (dnsStrategy == ProxyDNSStrategy::ORIGIN) { OriginAttributes originAttributes; StoragePrincipalHelper::GetOriginAttributesForNetworkState( this, originAttributes); @@ -6926,20 +6912,8 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { if (mCaps & NS_HTTP_REFRESH_DNS) { dnsFlags |= nsIDNSService::RESOLVE_BYPASS_CACHE; } - nsresult rv = mDNSPrefetch->PrefetchHigh(dnsFlags); - if (dnsStrategy & DNS_BLOCK_ON_ORIGIN_RESOLVE) { - LOG((" blocking on prefetching origin")); - - if (NS_WARN_IF(NS_FAILED(rv))) { - LOG((" lookup failed with 0x%08" PRIx32 ", aborting request", - static_cast<uint32_t>(rv))); - return rv; - } - - // Resolved in OnLookupComplete. - mDNSBlockingThenable = mDNSBlockingPromise.Ensure(__func__); - } + Unused << mDNSPrefetch->PrefetchHigh(dnsFlags); bool unused; if (StaticPrefs::network_dns_use_https_rr_as_altsvc() && !mHTTPSSVCRecord && @@ -6959,8 +6933,6 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { }); } } - - return NS_OK; } NS_IMETHODIMP ===================================== netwerk/protocol/http/nsHttpChannel.h ===================================== @@ -303,23 +303,11 @@ class nsHttpChannel final : public HttpBaseChannel, // Connections will only be established in this function. // (including DNS prefetch and speculative connection.) void MaybeResolveProxyAndBeginConnect(); - nsresult MaybeStartDNSPrefetch(); - - // Tells the channel to resolve the origin of the end server we are connecting - // to. - static uint16_t const DNS_PREFETCH_ORIGIN = 1 << 0; - // Tells the channel to resolve the host name of the proxy. - static uint16_t const DNS_PREFETCH_PROXY = 1 << 1; - // Will be set if the current channel uses an HTTP/HTTPS proxy. - static uint16_t const DNS_PROXY_IS_HTTP = 1 << 2; - // Tells the channel to wait for the result of the origin server resolution - // before any connection attempts are made. - static uint16_t const DNS_BLOCK_ON_ORIGIN_RESOLVE = 1 << 3; + void MaybeStartDNSPrefetch(); // Based on the proxy configuration determine the strategy for resolving the // end server host name. - // Returns a combination of the above flags. - uint16_t GetProxyDNSStrategy(); + ProxyDNSStrategy GetProxyDNSStrategy(); // We might synchronously or asynchronously call BeginConnect, // which includes DNS prefetch and speculative connection, according to ===================================== netwerk/protocol/http/nsHttpConnectionInfo.h ===================================== @@ -127,6 +127,13 @@ class nsHttpConnectionInfo final : public ARefBase { const char* ProxyPassword() const { return mProxyInfo ? mProxyInfo->Password().get() : nullptr; } + uint32_t ProxyFlag() const { + uint32_t flags = 0; + if (mProxyInfo) { + mProxyInfo->GetFlags(&flags); + } + return flags; + } const nsCString& ProxyAuthorizationHeader() const { return mProxyInfo ? mProxyInfo->ProxyAuthorizationHeader() : EmptyCString(); ===================================== netwerk/protocol/http/nsHttpConnectionMgr.cpp ===================================== @@ -3573,9 +3573,15 @@ void nsHttpConnectionMgr::DoSpeculativeConnectionInternal( return; } - if (aFetchHTTPSRR && NS_SUCCEEDED(aTrans->FetchHTTPSRR())) { - // nsHttpConnectionMgr::DoSpeculativeConnection will be called again when - // HTTPS RR is available. + ProxyDNSStrategy strategy = GetProxyDNSStrategyHelper( + aEnt->mConnInfo->ProxyType(), aEnt->mConnInfo->ProxyFlag()); + // Speculative connections can be triggered by non-Necko consumers, + // so add an extra check to ensure HTTPS RR isn't fetched when a proxy is + // used. + if (aFetchHTTPSRR && strategy == ProxyDNSStrategy::ORIGIN && + NS_SUCCEEDED(aTrans->FetchHTTPSRR())) { + // nsHttpConnectionMgr::DoSpeculativeConnection will be called again + // when HTTPS RR is available. return; } ===================================== netwerk/protocol/http/nsHttpHandler.cpp ===================================== @@ -2392,7 +2392,9 @@ nsresult nsHttpHandler::SpeculativeConnectInternal( } } - return SpeculativeConnect(ci, aCallbacks); + // When ech is enabled, always do speculative connect with HTTPS RR. + return MaybeSpeculativeConnectWithHTTPSRR(ci, aCallbacks, 0, + EchConfigEnabled()); } NS_IMETHODIMP ===================================== netwerk/protocol/http/nsHttpHandler.h ===================================== @@ -296,14 +296,13 @@ class nsHttpHandler final : public nsIHttpProtocolHandler, return mConnMgr->GetSocketThreadTarget(target); } - [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci, - nsIInterfaceRequestor* callbacks, - uint32_t caps = 0, - bool aFetchHTTPSRR = false) { + [[nodiscard]] nsresult MaybeSpeculativeConnectWithHTTPSRR( + nsHttpConnectionInfo* ci, nsIInterfaceRequestor* callbacks, uint32_t caps, + bool aFetchHTTPSRR) { TickleWifi(callbacks); RefPtr<nsHttpConnectionInfo> clone = ci->Clone(); return mConnMgr->SpeculativeConnect(clone, callbacks, caps, nullptr, - aFetchHTTPSRR | EchConfigEnabled()); + aFetchHTTPSRR); } [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci, ===================================== netwerk/test/unit/test_proxyDNS_leak.js ===================================== @@ -0,0 +1,111 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Test when socks proxy is registered, we don't try to resolve HTTPS record. +// Steps: +// 1. Use addHTTPSRecordOverride to add an override for service.com. +// 2. Add a proxy filter to use socks proxy. +// 3. Create a request to load service.com. +// 4. See if the HTTPS record is in DNS cache entries. + +"use strict"; + +const gDashboard = Cc["@mozilla.org/network/dashboard;1"].getService( + Ci.nsIDashboard +); +const pps = Cc["@mozilla.org/network/protocol-proxy-service;1"].getService(); + +add_task(async function setup() { + Services.prefs.setBoolPref("network.dns.native_https_query", true); + Services.prefs.setBoolPref("network.dns.native_https_query_win10", true); + const override = Cc["@mozilla.org/network/native-dns-override;1"].getService( + Ci.nsINativeDNSResolverOverride + ); + + let rawBuffer = [ + 0, 0, 128, 0, 0, 0, 0, 1, 0, 0, 0, 0, 7, 115, 101, 114, 118, 105, 99, 101, + 3, 99, 111, 109, 0, 0, 65, 0, 1, 0, 0, 0, 55, 0, 13, 0, 1, 0, 0, 1, 0, 6, 2, + 104, 50, 2, 104, 51, + ]; + override.addHTTPSRecordOverride("service.com", rawBuffer, rawBuffer.length); + override.addIPOverride("service.com", "127.0.0.1"); + registerCleanupFunction(() => { + Services.prefs.clearUserPref("network.dns.native_https_query"); + Services.prefs.clearUserPref("network.dns.native_https_query_win10"); + Services.prefs.clearUserPref("network.dns.localDomains"); + override.clearOverrides(); + }); +}); + +function makeChan(uri) { + let chan = NetUtil.newChannel({ + uri, + loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, + }).QueryInterface(Ci.nsIHttpChannel); + chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; + return chan; +} + +function channelOpenPromise(chan, flags) { + return new Promise(resolve => { + function finish(req, buffer) { + resolve([req, buffer]); + } + chan.asyncOpen(new ChannelListener(finish, null, flags)); + }); +} + +async function isRecordFound(hostname) { + return new Promise(resolve => { + gDashboard.requestDNSInfo(function (data) { + let found = false; + for (let i = 0; i < data.entries.length; i++) { + if ( + data.entries[i].hostname == hostname && + data.entries[i].type == Ci.nsIDNSService.RESOLVE_TYPE_HTTPSSVC + ) { + found = true; + break; + } + } + resolve(found); + }); + }); +} + +async function do_test_with_proxy_filter(filter) { + pps.registerFilter(filter, 10); + + let chan = makeChan(`https://service.com/`); + await channelOpenPromise(chan, CL_EXPECT_LATE_FAILURE | CL_ALLOW_UNKNOWN_CL); + + let found = await isRecordFound("service.com"); + pps.unregisterFilter(filter); + + return found; +} + +add_task(async function test_proxyDNS_do_leak() { + let filter = new NodeProxyFilter("socks", "localhost", 443, 0); + + let res = await do_test_with_proxy_filter(filter); + + Assert.ok(res, "Should find a DNS entry"); +}); + +add_task(async function test_proxyDNS_dont_leak() { + Services.dns.clearCache(false); + + let filter = new NodeProxyFilter( + "socks", + "localhost", + 443, + Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST + ); + + let res = await do_test_with_proxy_filter(filter); + + Assert.ok(!res, "Should not find a DNS entry"); +}); ===================================== netwerk/test/unit/xpcshell.toml ===================================== @@ -983,6 +983,12 @@ run-sequentially = "node server exceptions dont replay well" ["test_proxy_pac.js"] +["test_proxyDNS_leak.js"] +skip-if = [ + "os == 'android'", + "socketprocess_networking", +] + ["test_proxyconnect.js"] skip-if = [ "tsan", ===================================== toolkit/content/aboutNetworking.js ===================================== @@ -116,6 +116,11 @@ function displayDns(data) { new_cont.setAttribute("id", "dns_content"); for (let i = 0; i < data.entries.length; i++) { + // TODO: Will be supported in bug 1889387. + if (data.entries[i].type != Ci.nsIDNSService.RESOLVE_TYPE_DEFAULT) { + continue; + } + let row = document.createElement("tr"); row.appendChild(col(data.entries[i].hostname)); row.appendChild(col(data.entries[i].family)); View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/cd9… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/cd9… You're receiving this email because of your account on gitlab.torproject.org. [View Less]

1 0

[Git][tpo/applications/rbm][main] Bug 40082: Fix `fetch: if_needed` to avoid fetching when using a fixed commit
by morgan (＠morgan) 27 Feb '25

27 Feb '25

morgan pushed to branch main at The Tor Project / Applications / RBM Commits: 9dedbe52 by Nicolas Vigier at 2025-02-26T13:43:01+01:00 Bug 40082: Fix `fetch: if_needed` to avoid fetching when using a fixed commit Remove trailing newline from output of `git rev-parse` when comparing it with `git_hash`. - - - - - 1 changed file: - lib/RBM.pm Changes: ===================================== lib/RBM.pm ===================================== @@ -427,6 +427,7 @@ sub git_need_fetch { my … [View More]

1 0

[Git][tpo/applications/tor-browser][tor-browser-128.7.0esr-14.5-1] 2 commits: fixup! TB 40597: Implement TorSettings module
by morgan (＠morgan) 27 Feb '25

27 Feb '25

morgan pushed to branch tor-browser-128.7.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: d8e17646 by Henry Wilkes at 2025-02-27T12:38:32+00:00 fixup! TB 40597: Implement TorSettings module TB 43465: Replace TorConnect.canBeginBootstrap with TorConnect.canBeginNormalBootstrap to distinguish it from TorConnect.canBeginAutoBootstrap. - - - - - 481be29c by Henry Wilkes at 2025-02-27T12:38:32+00:00 fixup! TB 27476: Implement about:torconnect captive portal within Tor … [View More]Browser TB 43465: Show the urlbar Connect button when the user might want to return to about:torconnect. Instead of hiding the button when canBeginNormalBootstrap is false we show it as a plain button. Instead we hide it only when we are already bootstrapped. We also avoid initialising the button when TorConnect is not enabled. We also update TorConnect.open: 1. Do not re-open about:torconnect if we are already connected. E.g. when the user selects "Connect" in a bridge dialog but we are already connected by the time the settings are applied. 2. Do not call TorConnect.startAgain when receiving a "hard" request. Only the bridge dialogs make this request, and they would have already triggered startAgain by changing the bridge settings. - - - - - 3 changed files: - toolkit/components/torconnect/TorConnectParent.sys.mjs - toolkit/components/torconnect/content/torConnectUrlbarButton.js - toolkit/modules/TorConnect.sys.mjs Changes: ===================================== toolkit/components/torconnect/TorConnectParent.sys.mjs ===================================== @@ -152,23 +152,23 @@ export class TorConnectParent extends JSWindowActorParent { * auto-bootstrapping. */ static open(options) { + if (!TorConnect.shouldShowTorConnect) { + // Already bootstrapped, so don't reopen about:torconnect. + return; + } + const win = lazy.BrowserWindowTracker.getTopWindow(); win.switchToTabHavingURI("about:torconnect", true, { ignoreQueryString: true, }); - if (!options?.beginBootstrapping || !TorConnect.canBeginBootstrap) { - return; - } - - if (options.beginBootstrapping === "hard") { - if (TorConnect.canBeginAutoBootstrap && !options.regionCode) { - // Treat as an addition startAgain request to first move back to the - // "Start" stage before bootstrapping. - TorConnect.startAgain(); - } - } else if (TorConnect.potentiallyBlocked) { - // Do not trigger the bootstrap if we have ever had an error. + if ( + !options?.beginBootstrapping || + (options.beginBootstrapping !== "hard" && + TorConnect.potentiallyBlocked) || + (options.regionCode && !TorConnect.canBeginAutoBootstrap) || + (!options.regionCode && !TorConnect.canBeginNormalBootstrap) + ) { return; } ===================================== toolkit/components/torconnect/content/torConnectUrlbarButton.js ===================================== @@ -33,13 +33,21 @@ var gTorConnectUrlbarButton = { if (this._isActive) { return; } + + this.button = document.getElementById("tor-connect-urlbar-button"); + + if (!TorConnect.enabled) { + // Don't initialise, just hide. + this._updateButtonVisibility(); + return; + } + this._isActive = true; const { TorStrings } = ChromeUtils.importESModule( "resource://gre/modules/TorStrings.sys.mjs" ); - this.button = document.getElementById("tor-connect-urlbar-button"); document.getElementById("tor-connect-urlbar-button-label").value = TorStrings.torConnect.torConnectButton; this.button.addEventListener("click", event => { @@ -61,7 +69,7 @@ var gTorConnectUrlbarButton = { if (topic !== this._observeTopic) { return; } - this._torConnectStageChanged(); + this._updateButtonVisibility(); }, }; Services.obs.addObserver(this._stateListener, this._observeTopic); @@ -84,7 +92,7 @@ var gTorConnectUrlbarButton = { // switching selected browser. gBrowser.addProgressListener(this._locationListener); - this._torConnectStageChanged(); + this._updateButtonVisibility(); }, /** @@ -108,20 +116,6 @@ var gTorConnectUrlbarButton = { TorConnectParent.open({ beginBootstrapping: "soft" }); }, - /** - * Callback for when the TorConnect stage changes. - */ - _torConnectStageChanged() { - if (TorConnect.stageName === TorConnectStage.Disabled) { - // NOTE: We do not uninit early when we reach the - // TorConnectStage.Bootstrapped stage because we can still leave the - // Bootstrapped stage if the tor process exists early and needs a restart. - this.uninit(); - return; - } - this._updateButtonVisibility(); - }, - /** * Callback when the TorConnect state, current browser location, or activation * state changes. @@ -130,25 +124,25 @@ var gTorConnectUrlbarButton = { if (!this.button) { return; } - // NOTE: We do not manage focus when hiding the button. We only expect to - // move from "not hidden" to "hidden" when: - // + switching tabs to "about:torconnect", or - // + starting bootstrapping. - // - // When switching tabs, the normal tab switching logic will eventually move - // focus to the new tab or url bar, so whilst the focus may be lost - // temporarily when we hide the button, it will be re-established quickly on - // tab switch. - // - // And we don't expect bootstrapping to start whilst outside of the - // "about:torconnect", and the automatic bootstrapping should only trigger - // at the initial start. - this.button.hidden = + const hadFocus = this.button.contains(document.activeElement); + const hide = !this._isActive || this._inAboutTorConnectTab || - !TorConnect.enabled || - !TorConnect.canBeginBootstrap; - const plainButton = TorConnect.potentiallyBlocked; + TorConnect.stageName === TorConnectStage.Bootstrapped; + this.button.hidden = hide; + if (hide && hadFocus) { + // Lost focus. E.g. if the "Connect" button is focused in another window + // or tab outside of about:torconnect. + // Move focus back to the URL bar. + gURLBar.focus(); + } + // We style the button as a tor purple button if clicking the button will + // also start a bootstrap. I.e. whether we meet the conditions in + // TorConnectParent.open. + const plainButton = + !this._isActive || + !TorConnect.canBeginNormalBootstrap || + TorConnect.potentiallyBlocked; this.button.classList.toggle("tor-urlbar-button-plain", plainButton); this.button.classList.toggle("tor-button", !plainButton); }, ===================================== toolkit/modules/TorConnect.sys.mjs ===================================== @@ -1048,20 +1048,17 @@ export const TorConnect = { }, /** - * Whether we are in a stage that can lead into the Bootstrapping stage. I.e. - * whether we can make a "normal" or "auto" bootstrapping request. + * Whether we are in a stage that can lead into a "normal" bootstrapping + * request. * * The value may change with TorConnectTopics.StageChanged. * * @param {boolean} */ - get canBeginBootstrap() { + get canBeginNormalBootstrap() { return ( this._stageName === TorConnectStage.Start || - this._stageName === TorConnectStage.Offline || - this._stageName === TorConnectStage.ChooseRegion || - this._stageName === TorConnectStage.RegionNotFound || - this._stageName === TorConnectStage.ConfirmRegion + this._stageName === TorConnectStage.Offline ); }, @@ -1267,14 +1264,9 @@ export const TorConnect = { return true; } - if (!this.canBeginBootstrap) { - lazy.logger.warn(`Cannot begin bootstrap in stage ${currentStage}`); - return false; - } - if (this.canBeginAutoBootstrap) { - // Only expect "auto" bootstraps to be triggered when in an error stage. + if (!this.canBeginNormalBootstrap) { lazy.logger.warn( - `Expected a regionCode to bootstrap in stage ${currentStage}` + `Cannot begin normal bootstrap in stage ${currentStage}` ); return false; } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/10c931… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/10c931… You're receiving this email because of your account on gitlab.torproject.org. [View Less]

1 0

[Git][tpo/applications/tor-browser][tor-browser-128.7.0esr-14.5-1] 2 commits: fixup! TB 31286: Implementation of bridge, proxy, and firewall settings in...
by morgan (＠morgan) 27 Feb '25

27 Feb '25

morgan pushed to branch tor-browser-128.7.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: e21ae62e by Henry Wilkes at 2025-02-27T12:24:45+00:00 fixup! TB 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection TB 43469: Change the quickstart checkbox to a toggle. We also update the description text to use "connect automatically" rather than "Quickstart". - - - - - 10c9315c by Henry Wilkes at 2025-02-27T12:24:45+00:00 fixup! Tor … [View More]Browser strings TB 43469: Use "Connect automatically" instead of "Quickstart" in the UI. - - - - - 4 changed files: - browser/components/torpreferences/content/connectionPane.js - browser/components/torpreferences/content/connectionPane.xhtml - browser/components/torpreferences/content/torPreferences.css - toolkit/locales/en-US/toolkit/global/tor-browser.ftl Changes: ===================================== browser/components/torpreferences/content/connectionPane.js ===================================== @@ -2486,18 +2486,18 @@ const gConnectionPane = (function () { const retval = { // cached frequently accessed DOM elements - _enableQuickstartCheckbox: null, + _enableQuickstartToggle: null, // populate xul with strings and cache the relevant elements _populateXUL() { // Quickstart - this._enableQuickstartCheckbox = document.getElementById( - "torPreferences-quickstart-toggle" + this._enableQuickstartToggle = document.getElementById( + "tor-connection-quickstart-toggle" ); - this._enableQuickstartCheckbox.addEventListener("command", () => { - TorConnect.quickstart = this._enableQuickstartCheckbox.checked; + this._enableQuickstartToggle.addEventListener("toggle", () => { + TorConnect.quickstart = this._enableQuickstartToggle.pressed; }); - this._enableQuickstartCheckbox.checked = TorConnect.quickstart; + this._enableQuickstartToggle.pressed = TorConnect.quickstart; Services.obs.addObserver(this, TorConnectTopics.QuickstartChange); // Location @@ -2643,7 +2643,7 @@ const gConnectionPane = (function () { observe(subject, topic) { switch (topic) { case TorConnectTopics.QuickstartChange: { - this._enableQuickstartCheckbox.checked = TorConnect.quickstart; + this._enableQuickstartToggle.pressed = TorConnect.quickstart; break; } // triggered when tor connect state changes and we may ===================================== browser/components/torpreferences/content/connectionPane.xhtml ===================================== @@ -69,16 +69,19 @@  <groupbox data-category="paneConnection" hidden="true"> <label> - <html:h2 data-l10n-id="tor-connection-quickstart-heading"></html:h2> + <html:h2 data-l10n-id="tor-connection-automatic-heading"></html:h2> </label> <description class="description-deemphasized" flex="1" - data-l10n-id="tor-connection-quickstart-description" + data-l10n-id="tor-connection-automatic-description" /> - <checkbox - id="torPreferences-quickstart-toggle" + <html:moz-toggle + id="tor-connection-quickstart-toggle" + class="tor-toggle" + label-align-after="" data-l10n-id="tor-connection-quickstart-checkbox" + data-l10n-attrs="label" /> </groupbox> @@ -141,6 +144,7 @@ </hbox> <html:moz-toggle id="tor-bridges-enabled-toggle" + class="tor-toggle" label-align-after="" data-l10n-id="tor-bridges-use-bridges" data-l10n-attrs="label" ===================================== browser/components/torpreferences/content/torPreferences.css ===================================== @@ -34,6 +34,11 @@ button.spoof-button-disabled { } } +.tor-toggle { + margin-block: 16px; + width: max-content; +} + /* Status */ #network-status-internet-area { @@ -201,11 +206,6 @@ button.spoof-button-disabled { display: none; } -#tor-bridges-enabled-toggle { - margin-block: 16px; - width: max-content; -} - #tor-bridges-update-area { /* Still accessible to screen reader, but not visual. */ position: absolute; ===================================== toolkit/locales/en-US/toolkit/global/tor-browser.ftl ===================================== @@ -56,9 +56,8 @@ tor-connection-settings-category = # -brand-short-name refers to 'Tor Browser', localized. tor-connection-overview = { -brand-short-name } routes your traffic over the Tor Network, run by thousands of volunteers around the world. tor-connection-browser-learn-more-link = Learn more -tor-connection-quickstart-heading = Quickstart -# -brand-short-name refers to 'Tor Browser', localized. -tor-connection-quickstart-description = Quickstart connects { -brand-short-name } to the Tor Network automatically when launched, based on your last used connection settings. +tor-connection-automatic-heading = Connect automatically +tor-connection-automatic-description = Automatically connect to the Tor network at launch using your current connection settings. tor-connection-quickstart-checkbox = .label = Always connect automatically View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/85e00b… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/85e00b… You're receiving this email because of your account on gitlab.torproject.org. [View Less]

1 0

[Git][tpo/applications/tor-browser][base-browser-128.7.0esr-14.5-1] 3 commits: fixup! BB 32308: Use direct browser sizing for letterboxing.
by Pier Angelo Vendrame (＠pierov) 27 Feb '25

27 Feb '25

Pier Angelo Vendrame pushed to branch base-browser-128.7.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: c7cc05f5 by Pier Angelo Vendrame at 2025-02-27T10:35:32+01:00 fixup! BB 32308: Use direct browser sizing for letterboxing. When the dimension is less than 50px, we need to return dimension itself, rather than a 0px margin. - - - - - 7a9352a7 by Pier Angelo Vendrame at 2025-02-27T10:35:35+01:00 fixup! BB 41631: Prevent weird initial window dimensions caused by … [View More]subpixel computations BB 43205: Fix newwin rounding. RFP might produce bad rounding because of platform-specific bugs. Solving them might involve a refactor that is out of our capacity, therefore we add a JS patch to fix wrong sizes. - - - - - c2980c01 by Pier Angelo Vendrame at 2025-02-27T10:35:35+01:00 fixup! BB 41918: Option to reuse last window size when letterboxing is enabled. BB 43205: Fix newwin rounding. Do not fix sizes when remember last size is enabled. - - - - - 1 changed file: - toolkit/components/resistfingerprinting/RFPHelper.sys.mjs Changes: ===================================== toolkit/components/resistfingerprinting/RFPHelper.sys.mjs ===================================== @@ -4,6 +4,7 @@ * You can obtain one at https://mozilla.org/MPL/2.0/. */ import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs"; +import { AppConstants } from "resource://gre/modules/AppConstants.sys.mjs"; import * as constants from "resource://gre/modules/RFPTargetConstants.sys.mjs"; const kPrefResistFingerprinting = "privacy.resistFingerprinting"; @@ -21,6 +22,8 @@ const kPrefLetterboxingGradient = "privacy.resistFingerprinting.letterboxing.gradient"; const kPrefLetterboxingDidForceSize = "privacy.resistFingerprinting.letterboxing.didForceSize"; +const kPrefLetterboxingRememberSize = + "privacy.resistFingerprinting.letterboxing.rememberSize"; const kTopicDOMWindowOpened = "domwindowopened"; @@ -519,22 +522,23 @@ class _RFPHelper { } } + stepping(aDimension, aIsWidth) { + if (aDimension <= 500) { + return 50; + } else if (aDimension <= 1600) { + return aIsWidth ? 200 : 100; + } + return 200; + } + /** * Given a width or height, rounds it with the proper stepping. */ steppedSize(aDimension, aIsWidth = false) { - let stepping; if (aDimension <= 50) { - return 0; - } else if (aDimension <= 500) { - stepping = 50; - } else if (aDimension <= 1600) { - stepping = aIsWidth ? 200 : 100; - } else { - stepping = 200; + return aDimension; } - - return aDimension - (aDimension % stepping); + return aDimension - (aDimension % this.stepping(aDimension, aIsWidth)); } /** @@ -806,6 +810,7 @@ class _RFPHelper { } _attachWindow(aWindow) { + this._fixRounding(aWindow); aWindow.addEventListener("sizemodechange", windowResizeHandler); aWindow.shrinkToLetterbox = this.shrinkToLetterbox; aWindow.addEventListener("dblclick", this._onWindowDoubleClick); @@ -865,6 +870,52 @@ class _RFPHelper { ); } + _fixRounding(aWindow) { + if ( + !this.rfpEnabled || + Services.prefs.getBoolPref(kPrefLetterboxingRememberSize, false) + ) { + return; + } + + // tor-browser#43205: in case of subpixels, new windows might have a wrong + // size because of platform-specific bugs (e.g., Bug 1947439 on Windows). + const contentContainer = aWindow.document.getElementById("browser"); + const rect = contentContainer.getBoundingClientRect(); + const steppingWidth = this.stepping(rect.width, true); + const steppingHeight = this.stepping(rect.height, false); + const deltaWidth = + rect.width - steppingWidth * Math.round(rect.width / steppingWidth); + const deltaHeight = + rect.height - steppingHeight * Math.round(rect.height / steppingHeight); + + // It seems that under X11, a window cannot have all the possible (integer) + // sizes (see the videos on tor-browser#43205 and Bug 1947439)... + // We observed this behavior with 1.25 scaling, but we could not find + // where it happens exactly, so this code might be wrong. + // On the same system, this problem does not happen with Wayland. + if (AppConstants.platform === "linux") { + let targetWidth = aWindow.outerWidth - deltaWidth; + let targetHeight = aWindow.outerHeight - deltaHeight; + const x11Size = s => + Math.floor( + // This first rounding is done by Gecko, rather than X11. + Math.round(s * aWindow.devicePixelRatio) / aWindow.devicePixelRatio + ); + const x11Width = x11Size(targetWidth); + const x11Height = x11Size(targetHeight); + if (x11Width < targetWidth) { + targetWidth = x11Width + 2; + } + if (x11Height < targetHeight) { + targetHeight = x11Height + 2; + } + aWindow.resizeTo(targetWidth, targetHeight); + } else { + aWindow.resizeBy(deltaWidth, deltaHeight); + } + } + getTargets() { return constants.Targets; } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/20e649… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/20e649… You're receiving this email because of your account on gitlab.torproject.org. [View Less]

1 0