September 2025 - tbb-commits - lists.torproject.org

[Git][tpo/applications/tor-browser][tor-browser-140.3.0esr-15.0-1] BB 44107: Re-include firefoxview asset view-opentabs.svg.
by henry (＠henry) 22 Sep '25

22 Sep '25

henry pushed to branch tor-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Tor Browser Commits: 4e313bae by Henry Wilkes at 2025-09-22T12:11:03+01:00 BB 44107: Re-include firefoxview asset view-opentabs.svg. Should be dropped after bugzilla bug 1987279 is resolved. - - - - - 1 changed file: - browser/themes/shared/jar.inc.mn Changes: ===================================== browser/themes/shared/jar.inc.mn ===================================== @@ -7,6 +7,11 @@ # be specified once. As a result, the source file paths are relative # to the location of the actual manifest. +# Temporary work-around to include a single firefoxview asset needed for the +# "Switch to tab" search action. tor-browser#44107. +# Should be dropped after bugzilla bug 1987279. + content/browser/firefoxview/view-opentabs.svg (../../components/firefoxview/content/view-opentabs.svg) + skin/classic/browser/aboutFrameCrashed.css (../shared/aboutFrameCrashed.css) skin/classic/browser/aboutRestartRequired.css (../shared/aboutRestartRequired.css) skin/classic/browser/aboutSessionRestore.css (../shared/aboutSessionRestore.css) View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/4e313ba… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/4e313ba… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser][mullvad-browser-140.3.0esr-15.0-1] fixup! BB 42037: Disable about:firefoxview page
by henry (＠henry) 22 Sep '25

22 Sep '25

henry pushed to branch mullvad-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Mullvad Browser Commits: d334771e by henry at 2025-09-22T11:25:45+01:00 fixup! BB 42037: Disable about:firefoxview page TB 43900: Open a new tab rather than about:firefoxview when unloading the last tab. (cherry picked from commit f7e0a6109a96f327710680c7ebba4699fb303806) Co-authored-by: Henry Wilkes <henry(a)torproject.org> - - - - - 1 changed file: - browser/components/tabbrowser/content/tabbrowser.js Changes: ===================================== browser/components/tabbrowser/content/tabbrowser.js ===================================== @@ -5185,14 +5185,11 @@ this.selectedTab = newTab; } else { allTabsUnloaded = true; - // all tabs are unloaded - show Firefox View if it's present, otherwise open a new tab - if (FirefoxViewHandler.tab || FirefoxViewHandler.button) { - FirefoxViewHandler.openTab("opentabs"); - } else { - this.selectedTab = this.addTrustedTab(BROWSER_NEW_TAB_URL, { - skipAnimation: true, - }); - } + // We disable the firefoxview path in base browser. tor-browser#43900. + // Might be resolved by bugzilla bug 1989429. + this.selectedTab = this.addTrustedTab(BROWSER_NEW_TAB_URL, { + skipAnimation: true, + }); } } let memoryUsageBeforeUnload = await getTotalMemoryUsage(); View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/d33… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/d33… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-140.3.0esr-15.0-1] fixup! BB 42037: Disable about:firefoxview page
by henry (＠henry) 22 Sep '25

22 Sep '25

henry pushed to branch base-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Tor Browser Commits: ac9bc1a6 by henry at 2025-09-22T10:23:35+00:00 fixup! BB 42037: Disable about:firefoxview page TB 43900: Open a new tab rather than about:firefoxview when unloading the last tab. (cherry picked from commit f7e0a6109a96f327710680c7ebba4699fb303806) Co-authored-by: Henry Wilkes <henry(a)torproject.org> - - - - - 1 changed file: - browser/components/tabbrowser/content/tabbrowser.js Changes: ===================================== browser/components/tabbrowser/content/tabbrowser.js ===================================== @@ -5185,14 +5185,11 @@ this.selectedTab = newTab; } else { allTabsUnloaded = true; - // all tabs are unloaded - show Firefox View if it's present, otherwise open a new tab - if (FirefoxViewHandler.tab || FirefoxViewHandler.button) { - FirefoxViewHandler.openTab("opentabs"); - } else { - this.selectedTab = this.addTrustedTab(BROWSER_NEW_TAB_URL, { - skipAnimation: true, - }); - } + // We disable the firefoxview path in base browser. tor-browser#43900. + // Might be resolved by bugzilla bug 1989429. + this.selectedTab = this.addTrustedTab(BROWSER_NEW_TAB_URL, { + skipAnimation: true, + }); } } let memoryUsageBeforeUnload = await getTotalMemoryUsage(); View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ac9bc1a… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ac9bc1a… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-140.3.0esr-15.0-1] fixup! BB 42037: Disable about:firefoxview page
by henry (＠henry) 22 Sep '25

22 Sep '25

henry pushed to branch tor-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Tor Browser Commits: f7e0a610 by Henry Wilkes at 2025-09-22T11:02:23+01:00 fixup! BB 42037: Disable about:firefoxview page TB 43900: Open a new tab rather than about:firefoxview when unloading the last tab. - - - - - 1 changed file: - browser/components/tabbrowser/content/tabbrowser.js Changes: ===================================== browser/components/tabbrowser/content/tabbrowser.js ===================================== @@ -5185,14 +5185,11 @@ this.selectedTab = newTab; } else { allTabsUnloaded = true; - // all tabs are unloaded - show Firefox View if it's present, otherwise open a new tab - if (FirefoxViewHandler.tab || FirefoxViewHandler.button) { - FirefoxViewHandler.openTab("opentabs"); - } else { - this.selectedTab = this.addTrustedTab(BROWSER_NEW_TAB_URL, { - skipAnimation: true, - }); - } + // We disable the firefoxview path in base browser. tor-browser#43900. + // Might be resolved by bugzilla bug 1989429. + this.selectedTab = this.addTrustedTab(BROWSER_NEW_TAB_URL, { + skipAnimation: true, + }); } } let memoryUsageBeforeUnload = await getTotalMemoryUsage(); View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/f7e0a61… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/f7e0a61… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-update-responses][main] 6 commits: alpha: new version, 15.0a3 (linux-i686)
by boklm (＠boklm) 21 Sep '25

21 Sep '25

boklm pushed to branch main at The Tor Project / Applications / Tor Browser update responses Commits: 5dabb74a by Nicolas Vigier at 2025-09-21T20:24:27+02:00 alpha: new version, 15.0a3 (linux-i686) - - - - - dbd612d0 by Nicolas Vigier at 2025-09-21T20:24:27+02:00 alpha: new version, 15.0a3 (linux-x86_64) - - - - - f4501437 by Nicolas Vigier at 2025-09-21T20:24:27+02:00 alpha: new version, 15.0a3 (macos) - - - - - f392d8d9 by Nicolas Vigier at 2025-09-21T20:24:27+02:00 alpha: new version, 15.0a3 (windows-i686) - - - - - 56a5d7fa by Nicolas Vigier at 2025-09-21T20:24:27+02:00 alpha: new version, 15.0a3 (windows-x86_64) - - - - - a5246b2a by Nicolas Vigier at 2025-09-21T20:24:28+02:00 alpha: new version, 15.0a3 - - - - - 43 changed files: - update_3/alpha/download-android-aarch64.json - update_3/alpha/download-android-armv7.json - update_3/alpha/download-android-x86.json - update_3/alpha/download-android-x86_64.json - update_3/alpha/download-linux-i686.json - update_3/alpha/download-linux-x86_64.json - update_3/alpha/download-macos.json - update_3/alpha/download-windows-i686.json - update_3/alpha/download-windows-x86_64.json - update_3/alpha/downloads.json - update_3/alpha/linux-i686/.htaccess - update_3/alpha/linux-i686/update-14.5a5-15.0a2-linux-i686.xml → update_3/alpha/linux-i686/update-14.5a6-15.0a3-linux-i686.xml - update_3/alpha/linux-i686/update-14.5a6-15.0a2-linux-i686.xml → update_3/alpha/linux-i686/update-15.0a1-15.0a3-linux-i686.xml - update_3/alpha/linux-i686/update-15.0a1-15.0a2-linux-i686.xml → update_3/alpha/linux-i686/update-15.0a2-15.0a3-linux-i686.xml - update_3/alpha/linux-i686/update-15.0a2-linux-i686.xml → update_3/alpha/linux-i686/update-15.0a3-linux-i686.xml - update_3/alpha/linux-x86_64/.htaccess - update_3/alpha/linux-x86_64/update-14.5a5-15.0a2-linux-x86_64.xml → update_3/alpha/linux-x86_64/update-14.5a6-15.0a3-linux-x86_64.xml - update_3/alpha/linux-x86_64/update-14.5a6-15.0a2-linux-x86_64.xml → update_3/alpha/linux-x86_64/update-15.0a1-15.0a3-linux-x86_64.xml - update_3/alpha/linux-x86_64/update-15.0a1-15.0a2-linux-x86_64.xml → update_3/alpha/linux-x86_64/update-15.0a2-15.0a3-linux-x86_64.xml - update_3/alpha/linux-x86_64/update-15.0a2-linux-x86_64.xml → update_3/alpha/linux-x86_64/update-15.0a3-linux-x86_64.xml - update_3/alpha/macos/.htaccess - update_3/alpha/macos/update-14.5a5-15.0a2-macos.xml → update_3/alpha/macos/update-14.5a6-15.0a3-macos.xml - update_3/alpha/macos/update-15.0a1-15.0a2-macos.xml → update_3/alpha/macos/update-15.0a1-15.0a3-macos.xml - update_3/alpha/macos/update-14.5a6-15.0a2-macos.xml → update_3/alpha/macos/update-15.0a2-15.0a3-macos.xml - update_3/alpha/macos/update-15.0a2-macos.xml → update_3/alpha/macos/update-15.0a3-macos.xml - update_3/alpha/windows-i686/.htaccess - − update_3/alpha/windows-i686/update-14.5a5-15.0a2-windows-i686.xml - − update_3/alpha/windows-i686/update-14.5a6-15.0a2-windows-i686.xml - + update_3/alpha/windows-i686/update-14.5a6-15.0a3-windows-i686.xml - − update_3/alpha/windows-i686/update-15.0a1-15.0a2-windows-i686.xml - + update_3/alpha/windows-i686/update-15.0a1-15.0a3-windows-i686.xml - + update_3/alpha/windows-i686/update-15.0a2-15.0a3-windows-i686.xml - − update_3/alpha/windows-i686/update-15.0a2-windows-i686.xml - + update_3/alpha/windows-i686/update-15.0a3-windows-i686.xml - update_3/alpha/windows-x86_64/.htaccess - − update_3/alpha/windows-x86_64/update-14.5a5-15.0a2-windows-x86_64.xml - − update_3/alpha/windows-x86_64/update-14.5a6-15.0a2-windows-x86_64.xml - + update_3/alpha/windows-x86_64/update-14.5a6-15.0a3-windows-x86_64.xml - − update_3/alpha/windows-x86_64/update-15.0a1-15.0a2-windows-x86_64.xml - + update_3/alpha/windows-x86_64/update-15.0a1-15.0a3-windows-x86_64.xml - + update_3/alpha/windows-x86_64/update-15.0a2-15.0a3-windows-x86_64.xml - − update_3/alpha/windows-x86_64/update-15.0a2-windows-x86_64.xml - + update_3/alpha/windows-x86_64/update-15.0a3-windows-x86_64.xml The diff was not included because it is too large. View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-update-responses… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-update-responses… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser-update-responses][main] 4 commits: alpha: new version, 15.0a3 (linux-x86_64)
by boklm (＠boklm) 19 Sep '25

19 Sep '25

boklm pushed to branch main at The Tor Project / Applications / mullvad-browser-update-responses Commits: 624774ee by Nicolas Vigier at 2025-09-19T16:00:13+02:00 alpha: new version, 15.0a3 (linux-x86_64) - - - - - 469fc843 by Nicolas Vigier at 2025-09-19T16:00:13+02:00 alpha: new version, 15.0a3 (macos) - - - - - 3f56bf52 by Nicolas Vigier at 2025-09-19T16:00:13+02:00 alpha: new version, 15.0a3 (windows-x86_64) - - - - - 570914eb by Nicolas Vigier at 2025-09-19T16:00:13+02:00 alpha: new version, 15.0a3 - - - - - 31 changed files: - update_1/alpha/download-linux-x86_64.json - update_1/alpha/download-macos.json - update_1/alpha/download-windows-x86_64.json - update_1/alpha/downloads.json - update_1/alpha/linux-x86_64/.htaccess - − update_1/alpha/linux-x86_64/update-14.5a5-15.0a2-linux-x86_64.xml - − update_1/alpha/linux-x86_64/update-14.5a6-15.0a2-linux-x86_64.xml - + update_1/alpha/linux-x86_64/update-14.5a6-15.0a3-linux-x86_64.xml - − update_1/alpha/linux-x86_64/update-15.0a1-15.0a2-linux-x86_64.xml - + update_1/alpha/linux-x86_64/update-15.0a1-15.0a3-linux-x86_64.xml - + update_1/alpha/linux-x86_64/update-15.0a2-15.0a3-linux-x86_64.xml - − update_1/alpha/linux-x86_64/update-15.0a2-linux-x86_64.xml - + update_1/alpha/linux-x86_64/update-15.0a3-linux-x86_64.xml - update_1/alpha/macos/.htaccess - − update_1/alpha/macos/update-14.5a5-15.0a2-macos.xml - − update_1/alpha/macos/update-14.5a6-15.0a2-macos.xml - + update_1/alpha/macos/update-14.5a6-15.0a3-macos.xml - − update_1/alpha/macos/update-15.0a1-15.0a2-macos.xml - + update_1/alpha/macos/update-15.0a1-15.0a3-macos.xml - + update_1/alpha/macos/update-15.0a2-15.0a3-macos.xml - − update_1/alpha/macos/update-15.0a2-macos.xml - + update_1/alpha/macos/update-15.0a3-macos.xml - update_1/alpha/windows-x86_64/.htaccess - − update_1/alpha/windows-x86_64/update-14.5a5-15.0a2-windows-x86_64.xml - − update_1/alpha/windows-x86_64/update-14.5a6-15.0a2-windows-x86_64.xml - + update_1/alpha/windows-x86_64/update-14.5a6-15.0a3-windows-x86_64.xml - − update_1/alpha/windows-x86_64/update-15.0a1-15.0a2-windows-x86_64.xml - + update_1/alpha/windows-x86_64/update-15.0a1-15.0a3-windows-x86_64.xml - + update_1/alpha/windows-x86_64/update-15.0a2-15.0a3-windows-x86_64.xml - − update_1/alpha/windows-x86_64/update-15.0a2-windows-x86_64.xml - + update_1/alpha/windows-x86_64/update-15.0a3-windows-x86_64.xml The diff was not included because it is too large. View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-respo… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-respo… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser][mullvad-browser-140.3.0esr-15.0-1] fixup! BB 40925: Implemented the Security Level component
by Pier Angelo Vendrame (＠pierov) 18 Sep '25

18 Sep '25

Pier Angelo Vendrame pushed to branch mullvad-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Mullvad Browser Commits: c7cdcacd by Pier Angelo Vendrame at 2025-09-18T17:53:38+02:00 fixup! BB 40925: Implemented the Security Level component BB 44178: Refactor DDG's change of behavior with sec level. With the highest security level, we use the HTML version of DuckDuckGo. We used to change the URL on the fly when doing the search, but this had some problems (different UI, and problems with DDG lite). With this change, we consider the security level when loading the search engine configuration, and change the search URLs at that point. - - - - - 4 changed files: - toolkit/components/search/SearchEngine.sys.mjs - toolkit/components/search/SearchEngineSelector.sys.mjs - toolkit/components/search/SearchService.sys.mjs - toolkit/components/securitylevel/SecurityLevel.sys.mjs Changes: ===================================== toolkit/components/search/SearchEngine.sys.mjs ===================================== @@ -14,7 +14,6 @@ const lazy = {}; ChromeUtils.defineESModuleGetters(lazy, { SearchSettings: "moz-src:///toolkit/components/search/SearchSettings.sys.mjs", SearchUtils: "moz-src:///toolkit/components/search/SearchUtils.sys.mjs", - SecurityLevelPrefs: "resource://gre/modules/SecurityLevel.sys.mjs", OpenSearchEngine: "moz-src:///toolkit/components/search/OpenSearchEngine.sys.mjs", }); @@ -354,28 +353,6 @@ export class EngineURL { escapedSearchTerms, queryCharset ); - - if ( - lazy.SecurityLevelPrefs?.securityLevel === "safest" && - this.type === lazy.SearchUtils.URL_TYPE.SEARCH - ) { - let host = templateURI.host; - try { - host = Services.eTLD.getBaseDomainFromHost(host); - } catch (ex) { - lazy.logConsole.warn("Failed to get a FPD", ex, host); - } - if (host === "duckduckgo.com") { - templateURI.host = "html.duckduckgo.com"; - templateURI.pathname = "/html"; - } else if ( - host === - "duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion" - ) { - templateURI.pathname = "/html"; - } - } - if (this.method == "GET" && paramString) { // Query parameters may be specified in the template url AND in `this.params`. // Thus, we need to supply both with the search terms and join them. ===================================== toolkit/components/search/SearchEngineSelector.sys.mjs ===================================== @@ -315,6 +315,9 @@ export class SearchEngineSelector { * The name of the application. * @param {string} [options.version] * The version of the application. + * @param {boolean} [options.javascriptEnabled] + * Tell whether JS is enabled. If not, we will prefer plain HTML version of + * search engines, when available. * @returns {Promise<RefinedConfig>} * An object which contains the refined configuration with a filtered list * of search engines, and the identifiers for the application default engines. @@ -327,6 +330,7 @@ export class SearchEngineSelector { experiment, appName = Services.appinfo.name ?? "", version = Services.appinfo.version ?? "", + javascriptEnabled = true, }) { if (!this._configuration) { await this.getEngineConfiguration(); @@ -461,6 +465,17 @@ export class SearchEngineSelector { e => !e.optional ); + if (!javascriptEnabled) { + refinedSearchConfig.engines = refinedSearchConfig.engines.map(e => { + if (e.identifier === "ddg") { + e.urls.search.base = "https://html.duckduckgo.com/html"; + } else if (e.identifier === "ddg-onion") { + e.urls.search.base += "html"; + } + return e; + }); + } + if ( !refinedSearchConfig.appDefaultEngineId || !refinedSearchConfig.engines.find( ===================================== toolkit/components/search/SearchService.sys.mjs ===================================== @@ -24,6 +24,7 @@ ChromeUtils.defineESModuleGetters(lazy, { "moz-src:///toolkit/components/search/PolicySearchEngine.sys.mjs", Region: "resource://gre/modules/Region.sys.mjs", RemoteSettings: "resource://services-settings/remote-settings.sys.mjs", + SecurityLevelPrefs: "resource://gre/modules/SecurityLevel.sys.mjs", SearchEngine: "moz-src:///toolkit/components/search/SearchEngine.sys.mjs", SearchEngineSelector: "moz-src:///toolkit/components/search/SearchEngineSelector.sys.mjs", @@ -71,6 +72,7 @@ ChromeUtils.defineLazyGetter(lazy, "defaultOverrideAllowlist", () => { const TOPIC_LOCALES_CHANGE = "intl:app-locales-changed"; const QUIT_APPLICATION_TOPIC = "quit-application"; +const TOPIC_JSENABLED_CHANGED = "SecurityLevel:JavascriptEnabledChanged"; // The update timer for OpenSearch engines checks in once a day. const OPENSEARCH_UPDATE_TIMER_TOPIC = "search-engine-update-timer"; @@ -2634,6 +2636,7 @@ export class SearchService { channel: lazy.SearchUtils.MODIFIED_APP_CHANNEL, experiment: this._experimentPrefValue, distroID: lazy.SearchUtils.distroID ?? "", + javascriptEnabled: lazy.SecurityLevelPrefs.javascriptEnabled, }; for (let [key, value] of Object.entries(searchEngineSelectorProperties)) { @@ -3527,6 +3530,7 @@ export class SearchService { Services.obs.addObserver(this, lazy.SearchUtils.TOPIC_ENGINE_MODIFIED); Services.obs.addObserver(this, QUIT_APPLICATION_TOPIC); Services.obs.addObserver(this, TOPIC_LOCALES_CHANGE); + Services.obs.addObserver(this, TOPIC_JSENABLED_CHANGED); this._settings.addObservers(); @@ -3589,6 +3593,7 @@ export class SearchService { Services.obs.removeObserver(this, QUIT_APPLICATION_TOPIC); Services.obs.removeObserver(this, TOPIC_LOCALES_CHANGE); Services.obs.removeObserver(this, lazy.Region.REGION_TOPIC); + Services.obs.removeObserver(this, TOPIC_JSENABLED_CHANGED); } QueryInterface = ChromeUtils.generateQI([ @@ -3668,6 +3673,13 @@ export class SearchService { Ci.nsISearchService.CHANGE_REASON_REGION ).catch(console.error); break; + + case TOPIC_JSENABLED_CHANGED: + lazy.logConsole.debug("JavaScript toggled"); + this._maybeReloadEngines( + Ci.nsISearchService.CHANGE_REASON_CONFIG + ).catch(console.error); + break; } } ===================================== toolkit/components/securitylevel/SecurityLevel.sys.mjs ===================================== @@ -402,6 +402,8 @@ var initializeSecurityPrefs = function () { Services.prefs.setBoolPref(kCustomPref, false); Services.prefs.setIntPref(kSliderPref, effectiveIndex); } + // Determine the javascriptEnabled value *after* we have set kSliderPref. + SecurityLevelPrefs.updateJavascriptEnabled(); // Warn the user if they have booted the browser in a custom state, and have // not yet acknowledged it in a previous session. SecurityLevelPrefs.maybeWarnCustom(); @@ -578,6 +580,42 @@ export const SecurityLevelPrefs = { )?.[0]; }, + /** + * Cached value for whether javascript is enabled. `null` whilst undetermined. + * + * @type {?boolean} + */ + _javascriptEnabled: null, + + /** + * Whether javascript is enabled for web pages at the current security level. + * + * @type {boolean} + */ + get javascriptEnabled() { + if (this._javascriptEnabled === null) { + this.updateJavascriptEnabled(); + } + return this._javascriptEnabled; + }, + + /** + * Update the javascriptEnabled value. + */ + updateJavascriptEnabled() { + // NoScript will disable javascript for web pages at the safest security + // level. + const enabled = this.securityLevel !== "safest"; + if (enabled === this._javascriptEnabled) { + return; + } + this._javascriptEnabled = enabled; + Services.obs.notifyObservers( + null, + "SecurityLevel:JavascriptEnabledChanged" + ); + }, + /** * Set the desired security level just before a restart. * @@ -587,6 +625,10 @@ export const SecurityLevelPrefs = { */ setSecurityLevelBeforeRestart(level) { write_setting_to_prefs(this.SecurityLevels[level]); + // NOTE: Do not call `updateJavascriptEnabled`. We are about to restart, so + // consumers do not need to know about the change. + // Moreover, the change has not reached NoScript, which controls the + // javascript changes. }, /** @@ -741,6 +783,8 @@ export const SecurityLevelPrefs = { // still be marked as "custom" because: // 1. Some preferences require a browser restart to be applied. // 2. NoScript has not been updated with the new settings. + // NOTE: Do not call `updateJavascriptEnabled` because the change has not + // reached NoScript, which controls the javascript changes. this._tryShowNotifications({ restart: true, custom: true }); }, View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/c7c… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/c7c… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-140.3.0esr-15.0-1] fixup! BB 40925: Implemented the Security Level component
by Pier Angelo Vendrame (＠pierov) 18 Sep '25

18 Sep '25

Pier Angelo Vendrame pushed to branch base-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Tor Browser Commits: 8765cf34 by Pier Angelo Vendrame at 2025-09-18T17:52:47+02:00 fixup! BB 40925: Implemented the Security Level component BB 44178: Refactor DDG's change of behavior with sec level. With the highest security level, we use the HTML version of DuckDuckGo. We used to change the URL on the fly when doing the search, but this had some problems (different UI, and problems with DDG lite). With this change, we consider the security level when loading the search engine configuration, and change the search URLs at that point. - - - - - 4 changed files: - toolkit/components/search/SearchEngine.sys.mjs - toolkit/components/search/SearchEngineSelector.sys.mjs - toolkit/components/search/SearchService.sys.mjs - toolkit/components/securitylevel/SecurityLevel.sys.mjs Changes: ===================================== toolkit/components/search/SearchEngine.sys.mjs ===================================== @@ -14,7 +14,6 @@ const lazy = {}; ChromeUtils.defineESModuleGetters(lazy, { SearchSettings: "moz-src:///toolkit/components/search/SearchSettings.sys.mjs", SearchUtils: "moz-src:///toolkit/components/search/SearchUtils.sys.mjs", - SecurityLevelPrefs: "resource://gre/modules/SecurityLevel.sys.mjs", OpenSearchEngine: "moz-src:///toolkit/components/search/OpenSearchEngine.sys.mjs", }); @@ -354,28 +353,6 @@ export class EngineURL { escapedSearchTerms, queryCharset ); - - if ( - lazy.SecurityLevelPrefs?.securityLevel === "safest" && - this.type === lazy.SearchUtils.URL_TYPE.SEARCH - ) { - let host = templateURI.host; - try { - host = Services.eTLD.getBaseDomainFromHost(host); - } catch (ex) { - lazy.logConsole.warn("Failed to get a FPD", ex, host); - } - if (host === "duckduckgo.com") { - templateURI.host = "html.duckduckgo.com"; - templateURI.pathname = "/html"; - } else if ( - host === - "duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion" - ) { - templateURI.pathname = "/html"; - } - } - if (this.method == "GET" && paramString) { // Query parameters may be specified in the template url AND in `this.params`. // Thus, we need to supply both with the search terms and join them. ===================================== toolkit/components/search/SearchEngineSelector.sys.mjs ===================================== @@ -315,6 +315,9 @@ export class SearchEngineSelector { * The name of the application. * @param {string} [options.version] * The version of the application. + * @param {boolean} [options.javascriptEnabled] + * Tell whether JS is enabled. If not, we will prefer plain HTML version of + * search engines, when available. * @returns {Promise<RefinedConfig>} * An object which contains the refined configuration with a filtered list * of search engines, and the identifiers for the application default engines. @@ -327,6 +330,7 @@ export class SearchEngineSelector { experiment, appName = Services.appinfo.name ?? "", version = Services.appinfo.version ?? "", + javascriptEnabled = true, }) { if (!this._configuration) { await this.getEngineConfiguration(); @@ -461,6 +465,17 @@ export class SearchEngineSelector { e => !e.optional ); + if (!javascriptEnabled) { + refinedSearchConfig.engines = refinedSearchConfig.engines.map(e => { + if (e.identifier === "ddg") { + e.urls.search.base = "https://html.duckduckgo.com/html"; + } else if (e.identifier === "ddg-onion") { + e.urls.search.base += "html"; + } + return e; + }); + } + if ( !refinedSearchConfig.appDefaultEngineId || !refinedSearchConfig.engines.find( ===================================== toolkit/components/search/SearchService.sys.mjs ===================================== @@ -24,6 +24,7 @@ ChromeUtils.defineESModuleGetters(lazy, { "moz-src:///toolkit/components/search/PolicySearchEngine.sys.mjs", Region: "resource://gre/modules/Region.sys.mjs", RemoteSettings: "resource://services-settings/remote-settings.sys.mjs", + SecurityLevelPrefs: "resource://gre/modules/SecurityLevel.sys.mjs", SearchEngine: "moz-src:///toolkit/components/search/SearchEngine.sys.mjs", SearchEngineSelector: "moz-src:///toolkit/components/search/SearchEngineSelector.sys.mjs", @@ -71,6 +72,7 @@ ChromeUtils.defineLazyGetter(lazy, "defaultOverrideAllowlist", () => { const TOPIC_LOCALES_CHANGE = "intl:app-locales-changed"; const QUIT_APPLICATION_TOPIC = "quit-application"; +const TOPIC_JSENABLED_CHANGED = "SecurityLevel:JavascriptEnabledChanged"; // The update timer for OpenSearch engines checks in once a day. const OPENSEARCH_UPDATE_TIMER_TOPIC = "search-engine-update-timer"; @@ -2634,6 +2636,7 @@ export class SearchService { channel: lazy.SearchUtils.MODIFIED_APP_CHANNEL, experiment: this._experimentPrefValue, distroID: lazy.SearchUtils.distroID ?? "", + javascriptEnabled: lazy.SecurityLevelPrefs.javascriptEnabled, }; for (let [key, value] of Object.entries(searchEngineSelectorProperties)) { @@ -3527,6 +3530,7 @@ export class SearchService { Services.obs.addObserver(this, lazy.SearchUtils.TOPIC_ENGINE_MODIFIED); Services.obs.addObserver(this, QUIT_APPLICATION_TOPIC); Services.obs.addObserver(this, TOPIC_LOCALES_CHANGE); + Services.obs.addObserver(this, TOPIC_JSENABLED_CHANGED); this._settings.addObservers(); @@ -3589,6 +3593,7 @@ export class SearchService { Services.obs.removeObserver(this, QUIT_APPLICATION_TOPIC); Services.obs.removeObserver(this, TOPIC_LOCALES_CHANGE); Services.obs.removeObserver(this, lazy.Region.REGION_TOPIC); + Services.obs.removeObserver(this, TOPIC_JSENABLED_CHANGED); } QueryInterface = ChromeUtils.generateQI([ @@ -3668,6 +3673,13 @@ export class SearchService { Ci.nsISearchService.CHANGE_REASON_REGION ).catch(console.error); break; + + case TOPIC_JSENABLED_CHANGED: + lazy.logConsole.debug("JavaScript toggled"); + this._maybeReloadEngines( + Ci.nsISearchService.CHANGE_REASON_CONFIG + ).catch(console.error); + break; } } ===================================== toolkit/components/securitylevel/SecurityLevel.sys.mjs ===================================== @@ -390,6 +390,8 @@ var initializeSecurityPrefs = function () { Services.prefs.setBoolPref(kCustomPref, false); Services.prefs.setIntPref(kSliderPref, effectiveIndex); } + // Determine the javascriptEnabled value *after* we have set kSliderPref. + SecurityLevelPrefs.updateJavascriptEnabled(); // Warn the user if they have booted the browser in a custom state, and have // not yet acknowledged it in a previous session. SecurityLevelPrefs.maybeWarnCustom(); @@ -566,6 +568,42 @@ export const SecurityLevelPrefs = { )?.[0]; }, + /** + * Cached value for whether javascript is enabled. `null` whilst undetermined. + * + * @type {?boolean} + */ + _javascriptEnabled: null, + + /** + * Whether javascript is enabled for web pages at the current security level. + * + * @type {boolean} + */ + get javascriptEnabled() { + if (this._javascriptEnabled === null) { + this.updateJavascriptEnabled(); + } + return this._javascriptEnabled; + }, + + /** + * Update the javascriptEnabled value. + */ + updateJavascriptEnabled() { + // NoScript will disable javascript for web pages at the safest security + // level. + const enabled = this.securityLevel !== "safest"; + if (enabled === this._javascriptEnabled) { + return; + } + this._javascriptEnabled = enabled; + Services.obs.notifyObservers( + null, + "SecurityLevel:JavascriptEnabledChanged" + ); + }, + /** * Set the desired security level just before a restart. * @@ -575,6 +613,10 @@ export const SecurityLevelPrefs = { */ setSecurityLevelBeforeRestart(level) { write_setting_to_prefs(this.SecurityLevels[level]); + // NOTE: Do not call `updateJavascriptEnabled`. We are about to restart, so + // consumers do not need to know about the change. + // Moreover, the change has not reached NoScript, which controls the + // javascript changes. }, /** @@ -729,6 +771,8 @@ export const SecurityLevelPrefs = { // still be marked as "custom" because: // 1. Some preferences require a browser restart to be applied. // 2. NoScript has not been updated with the new settings. + // NOTE: Do not call `updateJavascriptEnabled` because the change has not + // reached NoScript, which controls the javascript changes. this._tryShowNotifications({ restart: true, custom: true }); }, View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/8765cf3… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/8765cf3… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-140.3.0esr-15.0-1] fixup! BB 40925: Implemented the Security Level component
by Pier Angelo Vendrame (＠pierov) 18 Sep '25

18 Sep '25

Pier Angelo Vendrame pushed to branch tor-browser-140.3.0esr-15.0-1 at The Tor Project / Applications / Tor Browser Commits: ce3eaa51 by Pier Angelo Vendrame at 2025-09-18T17:47:23+02:00 fixup! BB 40925: Implemented the Security Level component BB 44178: Refactor DDG's change of behavior with sec level. With the highest security level, we use the HTML version of DuckDuckGo. We used to change the URL on the fly when doing the search, but this had some problems (different UI, and problems with DDG lite). With this change, we consider the security level when loading the search engine configuration, and change the search URLs at that point. - - - - - 4 changed files: - toolkit/components/search/SearchEngine.sys.mjs - toolkit/components/search/SearchEngineSelector.sys.mjs - toolkit/components/search/SearchService.sys.mjs - toolkit/components/securitylevel/SecurityLevel.sys.mjs Changes: ===================================== toolkit/components/search/SearchEngine.sys.mjs ===================================== @@ -14,7 +14,6 @@ const lazy = {}; ChromeUtils.defineESModuleGetters(lazy, { SearchSettings: "moz-src:///toolkit/components/search/SearchSettings.sys.mjs", SearchUtils: "moz-src:///toolkit/components/search/SearchUtils.sys.mjs", - SecurityLevelPrefs: "resource://gre/modules/SecurityLevel.sys.mjs", OpenSearchEngine: "moz-src:///toolkit/components/search/OpenSearchEngine.sys.mjs", }); @@ -354,28 +353,6 @@ export class EngineURL { escapedSearchTerms, queryCharset ); - - if ( - lazy.SecurityLevelPrefs?.securityLevel === "safest" && - this.type === lazy.SearchUtils.URL_TYPE.SEARCH - ) { - let host = templateURI.host; - try { - host = Services.eTLD.getBaseDomainFromHost(host); - } catch (ex) { - lazy.logConsole.warn("Failed to get a FPD", ex, host); - } - if (host === "duckduckgo.com") { - templateURI.host = "html.duckduckgo.com"; - templateURI.pathname = "/html"; - } else if ( - host === - "duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion" - ) { - templateURI.pathname = "/html"; - } - } - if (this.method == "GET" && paramString) { // Query parameters may be specified in the template url AND in `this.params`. // Thus, we need to supply both with the search terms and join them. ===================================== toolkit/components/search/SearchEngineSelector.sys.mjs ===================================== @@ -315,6 +315,9 @@ export class SearchEngineSelector { * The name of the application. * @param {string} [options.version] * The version of the application. + * @param {boolean} [options.javascriptEnabled] + * Tell whether JS is enabled. If not, we will prefer plain HTML version of + * search engines, when available. * @returns {Promise<RefinedConfig>} * An object which contains the refined configuration with a filtered list * of search engines, and the identifiers for the application default engines. @@ -327,6 +330,7 @@ export class SearchEngineSelector { experiment, appName = Services.appinfo.name ?? "", version = Services.appinfo.version ?? "", + javascriptEnabled = true, }) { if (!this._configuration) { await this.getEngineConfiguration(); @@ -461,6 +465,17 @@ export class SearchEngineSelector { e => !e.optional ); + if (!javascriptEnabled) { + refinedSearchConfig.engines = refinedSearchConfig.engines.map(e => { + if (e.identifier === "ddg") { + e.urls.search.base = "https://html.duckduckgo.com/html"; + } else if (e.identifier === "ddg-onion") { + e.urls.search.base += "html"; + } + return e; + }); + } + if ( !refinedSearchConfig.appDefaultEngineId || !refinedSearchConfig.engines.find( ===================================== toolkit/components/search/SearchService.sys.mjs ===================================== @@ -24,6 +24,7 @@ ChromeUtils.defineESModuleGetters(lazy, { "moz-src:///toolkit/components/search/PolicySearchEngine.sys.mjs", Region: "resource://gre/modules/Region.sys.mjs", RemoteSettings: "resource://services-settings/remote-settings.sys.mjs", + SecurityLevelPrefs: "resource://gre/modules/SecurityLevel.sys.mjs", SearchEngine: "moz-src:///toolkit/components/search/SearchEngine.sys.mjs", SearchEngineSelector: "moz-src:///toolkit/components/search/SearchEngineSelector.sys.mjs", @@ -71,6 +72,7 @@ ChromeUtils.defineLazyGetter(lazy, "defaultOverrideAllowlist", () => { const TOPIC_LOCALES_CHANGE = "intl:app-locales-changed"; const QUIT_APPLICATION_TOPIC = "quit-application"; +const TOPIC_JSENABLED_CHANGED = "SecurityLevel:JavascriptEnabledChanged"; // The update timer for OpenSearch engines checks in once a day. const OPENSEARCH_UPDATE_TIMER_TOPIC = "search-engine-update-timer"; @@ -2634,6 +2636,7 @@ export class SearchService { channel: lazy.SearchUtils.MODIFIED_APP_CHANNEL, experiment: this._experimentPrefValue, distroID: lazy.SearchUtils.distroID ?? "", + javascriptEnabled: lazy.SecurityLevelPrefs.javascriptEnabled, }; for (let [key, value] of Object.entries(searchEngineSelectorProperties)) { @@ -3527,6 +3530,7 @@ export class SearchService { Services.obs.addObserver(this, lazy.SearchUtils.TOPIC_ENGINE_MODIFIED); Services.obs.addObserver(this, QUIT_APPLICATION_TOPIC); Services.obs.addObserver(this, TOPIC_LOCALES_CHANGE); + Services.obs.addObserver(this, TOPIC_JSENABLED_CHANGED); this._settings.addObservers(); @@ -3589,6 +3593,7 @@ export class SearchService { Services.obs.removeObserver(this, QUIT_APPLICATION_TOPIC); Services.obs.removeObserver(this, TOPIC_LOCALES_CHANGE); Services.obs.removeObserver(this, lazy.Region.REGION_TOPIC); + Services.obs.removeObserver(this, TOPIC_JSENABLED_CHANGED); } QueryInterface = ChromeUtils.generateQI([ @@ -3668,6 +3673,13 @@ export class SearchService { Ci.nsISearchService.CHANGE_REASON_REGION ).catch(console.error); break; + + case TOPIC_JSENABLED_CHANGED: + lazy.logConsole.debug("JavaScript toggled"); + this._maybeReloadEngines( + Ci.nsISearchService.CHANGE_REASON_CONFIG + ).catch(console.error); + break; } } ===================================== toolkit/components/securitylevel/SecurityLevel.sys.mjs ===================================== @@ -390,6 +390,8 @@ var initializeSecurityPrefs = function () { Services.prefs.setBoolPref(kCustomPref, false); Services.prefs.setIntPref(kSliderPref, effectiveIndex); } + // Determine the javascriptEnabled value *after* we have set kSliderPref. + SecurityLevelPrefs.updateJavascriptEnabled(); // Warn the user if they have booted the browser in a custom state, and have // not yet acknowledged it in a previous session. SecurityLevelPrefs.maybeWarnCustom(); @@ -566,6 +568,42 @@ export const SecurityLevelPrefs = { )?.[0]; }, + /** + * Cached value for whether javascript is enabled. `null` whilst undetermined. + * + * @type {?boolean} + */ + _javascriptEnabled: null, + + /** + * Whether javascript is enabled for web pages at the current security level. + * + * @type {boolean} + */ + get javascriptEnabled() { + if (this._javascriptEnabled === null) { + this.updateJavascriptEnabled(); + } + return this._javascriptEnabled; + }, + + /** + * Update the javascriptEnabled value. + */ + updateJavascriptEnabled() { + // NoScript will disable javascript for web pages at the safest security + // level. + const enabled = this.securityLevel !== "safest"; + if (enabled === this._javascriptEnabled) { + return; + } + this._javascriptEnabled = enabled; + Services.obs.notifyObservers( + null, + "SecurityLevel:JavascriptEnabledChanged" + ); + }, + /** * Set the desired security level just before a restart. * @@ -575,6 +613,10 @@ export const SecurityLevelPrefs = { */ setSecurityLevelBeforeRestart(level) { write_setting_to_prefs(this.SecurityLevels[level]); + // NOTE: Do not call `updateJavascriptEnabled`. We are about to restart, so + // consumers do not need to know about the change. + // Moreover, the change has not reached NoScript, which controls the + // javascript changes. }, /** @@ -729,6 +771,8 @@ export const SecurityLevelPrefs = { // still be marked as "custom" because: // 1. Some preferences require a browser restart to be applied. // 2. NoScript has not been updated with the new settings. + // NOTE: Do not call `updateJavascriptEnabled` because the change has not + // reached NoScript, which controls the javascript changes. this._tryShowNotifications({ restart: true, custom: true }); }, View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ce3eaa5… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/ce3eaa5… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser] Pushed new tag mullvad-browser-143.0a1-16.0-2-build1
by brizental (＠brizental) 18 Sep '25

18 Sep '25

brizental pushed new tag mullvad-browser-143.0a1-16.0-2-build1 at The Tor Project / Applications / Mullvad Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/tree/mullv… You're receiving this email because of your account on gitlab.torproject.org.

1 0