- tbb-commits - lists.torproject.org

[Git][tpo/applications/mullvad-browser][mullvad-browser-128.8.0esr-14.0-1] 5 commits: Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp]
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed to branch mullvad-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Mullvad Browser Commits: 955c81f6 by Tara at 2025-03-03T10:15:09+01:00 Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp] Differential Revision: https://phabricator.services.mozilla.com/D236606 - - - - - 7377c502 by John Schanck at 2025-03-03T10:15:10+01:00 Bug 1922357 - disallow the fido: URI scheme. a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D237313 Differential Revision: https://phabricator.services.mozilla.com/D238681 - - - - - bddb7190 by Jeff Boek at 2025-03-03T10:15:11+01:00 Bug 1928334 - Handles animating activities a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D238342 Differential Revision: https://phabricator.services.mozilla.com/D238845 - - - - - 43064cfd by Tom Schuster at 2025-03-03T10:15:12+01:00 Bug 1942022 - Improve the about:protections CSP. r=firefox-desktop-core-reviewers ,mossop Differential Revision: https://phabricator.services.mozilla.com/D234507 - - - - - 64d9c395 by Tom Schuster at 2025-03-03T10:15:13+01:00 Bug 1942025 - Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs Differential Revision: https://phabricator.services.mozilla.com/D234508 - - - - - 11 changed files: - browser/components/privatebrowsing/content/aboutPrivateBrowsing.html - browser/components/protections/content/protections.html - mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt - mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt - mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt - mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt - mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt - mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java - mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java Changes: ===================================== browser/components/privatebrowsing/content/aboutPrivateBrowsing.html ===================================== @@ -10,7 +10,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; img-src chrome: blob:; object-src 'none';" /> <meta name="color-scheme" content="light dark" /> <link rel="icon" href="chrome://browser/skin/privatebrowsing/favicon.svg" /> ===================================== browser/components/protections/content/protections.html ===================================== @@ -8,7 +8,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; object-src 'none'" /> <meta name="color-scheme" content="light dark" /> <link rel="localization" href="branding/brand.ftl" /> ===================================== mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt ===================================== @@ -1818,7 +1818,7 @@ class GeckoEngineSession( internal const val ABOUT_BLANK = "about:blank" internal const val JS_SCHEME = "javascript" internal val BLOCKED_SCHEMES = - listOf("file", "resource", JS_SCHEME) // See 1684761 and 1684947 + listOf("file", "resource", "fido", JS_SCHEME) // See 1684761 and 1684947 /** * Provides an ErrorType corresponding to the error code provided. ===================================== mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt ===================================== @@ -631,6 +631,11 @@ class GeckoEngineSessionTest { engineSession.loadUrl("RESOURCE://package/test.text") verify(geckoSession, never()).load(GeckoSession.Loader().uri("resource://package/test.text")) verify(geckoSession, never()).load(GeckoSession.Loader().uri("RESOURCE://package/test.text")) + + engineSession.loadUrl("fido:/12345678") + engineSession.loadUrl("FIDO:/12345678") + verify(geckoSession, never()).load(GeckoSession.Loader().uri("fido:/12345678")) + verify(geckoSession, never()).load(GeckoSession.Loader().uri("FIDO:/12345678")) } @Test ===================================== mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt ===================================== @@ -313,6 +313,7 @@ class AppLinksUseCases( "https", "moz-extension", "moz-safe-about", "resource", "view-source", "ws", "wss", "blob", ) - internal val ALWAYS_DENY_SCHEMES: Set<String> = setOf("jar", "file", "javascript", "data", "about", "content") + internal val ALWAYS_DENY_SCHEMES: Set<String> = + setOf("jar", "file", "javascript", "data", "about", "content", "fido") } } ===================================== mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt ===================================== @@ -47,6 +47,7 @@ class AppLinksUseCasesTest { private val javascriptUrl = "javascript:'hello, world'" private val jarUrl = "jar:file://some/path/test.html" private val contentUrl = "content://media/external_primary/downloads/12345" + private val fidoPath = "fido:12345678" private val fileType = "audio/mpeg" private val layerUrl = "https://example.com" private val layerPackage = "com.example.app" @@ -215,6 +216,15 @@ class AppLinksUseCasesTest { assertFalse(redirect.isRedirect()) } + @Test + fun `A fido url is not an app link`() { + val context = createContext(Triple(fidoPath, appPackage, "")) + val subject = AppLinksUseCases(context, { true }) + + val redirect = subject.interceptedAppLinkRedirect(fidoPath) + assertFalse(redirect.isRedirect()) + } + @Test fun `Will not redirect app link if browser option set to false and scheme is supported`() { val context = createContext(Triple(appUrl, appPackage, "")) ===================================== mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt ===================================== @@ -9,6 +9,7 @@ import android.content.Intent import androidx.annotation.VisibleForTesting import androidx.annotation.VisibleForTesting.Companion.PRIVATE import androidx.core.view.isVisible +import androidx.fragment.app.DialogFragment import androidx.fragment.app.Fragment import androidx.fragment.app.FragmentManager import kotlinx.coroutines.CoroutineScope @@ -1094,7 +1095,15 @@ class PromptFeature private constructor( emitPromptDismissedFact(promptName = promptRequest::class.simpleName.ifNullOrEmpty { "" }) } + @VisibleForTesting + internal fun redirectDialogFragmentIsActive() = + (fragmentManager.findFragmentByTag("SHOULD_OPEN_APP_LINK_PROMPT_DIALOG") as? DialogFragment) != null + private fun canShowThisPrompt(promptRequest: PromptRequest): Boolean { + if (redirectDialogFragmentIsActive()) { + return false + } + return when (promptRequest) { is SingleChoice, is MultipleChoice, ===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt ===================================== @@ -798,7 +798,7 @@ open class HomeActivity : LocaleAwareAppCompatActivity(), NavHostActivity { return false } - final override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { ProfilerMarkers.addForDispatchTouchEvent(components.core.engine.profiler, ev) return super.dispatchTouchEvent(ev) } ===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt ===================================== @@ -7,6 +7,7 @@ package org.mozilla.fenix.customtabs import android.app.assist.AssistContent import android.net.Uri import android.os.Build +import android.view.MotionEvent import androidx.annotation.RequiresApi import androidx.annotation.VisibleForTesting import mozilla.components.browser.state.selector.findCustomTab @@ -24,6 +25,8 @@ const val EXTRA_IS_SANDBOX_CUSTOM_TAB = "org.mozilla.fenix.customtabs.EXTRA_IS_S */ @Suppress("TooManyFunctions") open class ExternalAppBrowserActivity : HomeActivity() { + var isFinishedAnimating = false + override fun onResume() { super.onResume() @@ -74,4 +77,17 @@ open class ExternalAppBrowserActivity : HomeActivity() { val currentTabUrl = getExternalTab()?.content?.url outContent?.webUri = currentTabUrl?.let { Uri.parse(it) } } + + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + if (!isFinishedAnimating) { + return true + } + + return super.dispatchTouchEvent(ev) + } + + override fun onEnterAnimationComplete() { + super.onEnterAnimationComplete() + isFinishedAnimating = true + } } ===================================== mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java ===================================== @@ -76,6 +76,10 @@ public class IntentUtils { return getSafeIntent(aUri) != null; } + if ("fido".equals(scheme)) { + return false; + } + return true; } ===================================== mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java ===================================== @@ -63,4 +63,10 @@ public class IntentUtilsTest { final String uri = "intent:non_scheme_intent#Intent;end"; assertTrue(IntentUtils.isUriSafeForScheme(uri)); } + + @Test + public void unsafeFidoUri() { + final String uri = "fido:/12345678"; + assertFalse(IntentUtils.isUriSafeForScheme(uri)); + } } View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/cd… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/cd… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag base-browser-128.8.0esr-14.0-1-build2
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed new tag base-browser-128.8.0esr-14.0-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/base-brow… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-128.8.0esr-14.0-1] 5 commits: Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp]
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed to branch base-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Tor Browser Commits: 8ada94b2 by Tara at 2025-03-03T10:09:21+01:00 Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp] Differential Revision: https://phabricator.services.mozilla.com/D236606 - - - - - ed4eb7c6 by John Schanck at 2025-03-03T10:09:22+01:00 Bug 1922357 - disallow the fido: URI scheme. a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D237313 Differential Revision: https://phabricator.services.mozilla.com/D238681 - - - - - f53d7d49 by Jeff Boek at 2025-03-03T10:09:23+01:00 Bug 1928334 - Handles animating activities a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D238342 Differential Revision: https://phabricator.services.mozilla.com/D238845 - - - - - bc8d56ec by Tom Schuster at 2025-03-03T10:09:24+01:00 Bug 1942022 - Improve the about:protections CSP. r=firefox-desktop-core-reviewers ,mossop Differential Revision: https://phabricator.services.mozilla.com/D234507 - - - - - 276610d2 by Tom Schuster at 2025-03-03T10:09:25+01:00 Bug 1942025 - Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs Differential Revision: https://phabricator.services.mozilla.com/D234508 - - - - - 11 changed files: - browser/components/privatebrowsing/content/aboutPrivateBrowsing.html - browser/components/protections/content/protections.html - mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt - mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt - mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt - mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt - mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt - mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java - mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java Changes: ===================================== browser/components/privatebrowsing/content/aboutPrivateBrowsing.html ===================================== @@ -10,7 +10,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; img-src chrome: blob:; object-src 'none';" /> <meta name="color-scheme" content="light dark" /> <link rel="icon" href="chrome://browser/skin/privatebrowsing/favicon.svg" /> ===================================== browser/components/protections/content/protections.html ===================================== @@ -8,7 +8,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; object-src 'none'" /> <meta name="color-scheme" content="light dark" /> <link rel="localization" href="branding/brand.ftl" /> ===================================== mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt ===================================== @@ -1818,7 +1818,7 @@ class GeckoEngineSession( internal const val ABOUT_BLANK = "about:blank" internal const val JS_SCHEME = "javascript" internal val BLOCKED_SCHEMES = - listOf("file", "resource", JS_SCHEME) // See 1684761 and 1684947 + listOf("file", "resource", "fido", JS_SCHEME) // See 1684761 and 1684947 /** * Provides an ErrorType corresponding to the error code provided. ===================================== mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt ===================================== @@ -631,6 +631,11 @@ class GeckoEngineSessionTest { engineSession.loadUrl("RESOURCE://package/test.text") verify(geckoSession, never()).load(GeckoSession.Loader().uri("resource://package/test.text")) verify(geckoSession, never()).load(GeckoSession.Loader().uri("RESOURCE://package/test.text")) + + engineSession.loadUrl("fido:/12345678") + engineSession.loadUrl("FIDO:/12345678") + verify(geckoSession, never()).load(GeckoSession.Loader().uri("fido:/12345678")) + verify(geckoSession, never()).load(GeckoSession.Loader().uri("FIDO:/12345678")) } @Test ===================================== mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt ===================================== @@ -313,6 +313,7 @@ class AppLinksUseCases( "https", "moz-extension", "moz-safe-about", "resource", "view-source", "ws", "wss", "blob", ) - internal val ALWAYS_DENY_SCHEMES: Set<String> = setOf("jar", "file", "javascript", "data", "about", "content") + internal val ALWAYS_DENY_SCHEMES: Set<String> = + setOf("jar", "file", "javascript", "data", "about", "content", "fido") } } ===================================== mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt ===================================== @@ -47,6 +47,7 @@ class AppLinksUseCasesTest { private val javascriptUrl = "javascript:'hello, world'" private val jarUrl = "jar:file://some/path/test.html" private val contentUrl = "content://media/external_primary/downloads/12345" + private val fidoPath = "fido:12345678" private val fileType = "audio/mpeg" private val layerUrl = "https://example.com" private val layerPackage = "com.example.app" @@ -215,6 +216,15 @@ class AppLinksUseCasesTest { assertFalse(redirect.isRedirect()) } + @Test + fun `A fido url is not an app link`() { + val context = createContext(Triple(fidoPath, appPackage, "")) + val subject = AppLinksUseCases(context, { true }) + + val redirect = subject.interceptedAppLinkRedirect(fidoPath) + assertFalse(redirect.isRedirect()) + } + @Test fun `Will not redirect app link if browser option set to false and scheme is supported`() { val context = createContext(Triple(appUrl, appPackage, "")) ===================================== mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt ===================================== @@ -9,6 +9,7 @@ import android.content.Intent import androidx.annotation.VisibleForTesting import androidx.annotation.VisibleForTesting.Companion.PRIVATE import androidx.core.view.isVisible +import androidx.fragment.app.DialogFragment import androidx.fragment.app.Fragment import androidx.fragment.app.FragmentManager import kotlinx.coroutines.CoroutineScope @@ -1094,7 +1095,15 @@ class PromptFeature private constructor( emitPromptDismissedFact(promptName = promptRequest::class.simpleName.ifNullOrEmpty { "" }) } + @VisibleForTesting + internal fun redirectDialogFragmentIsActive() = + (fragmentManager.findFragmentByTag("SHOULD_OPEN_APP_LINK_PROMPT_DIALOG") as? DialogFragment) != null + private fun canShowThisPrompt(promptRequest: PromptRequest): Boolean { + if (redirectDialogFragmentIsActive()) { + return false + } + return when (promptRequest) { is SingleChoice, is MultipleChoice, ===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt ===================================== @@ -798,7 +798,7 @@ open class HomeActivity : LocaleAwareAppCompatActivity(), NavHostActivity { return false } - final override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { ProfilerMarkers.addForDispatchTouchEvent(components.core.engine.profiler, ev) return super.dispatchTouchEvent(ev) } ===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt ===================================== @@ -7,6 +7,7 @@ package org.mozilla.fenix.customtabs import android.app.assist.AssistContent import android.net.Uri import android.os.Build +import android.view.MotionEvent import androidx.annotation.RequiresApi import androidx.annotation.VisibleForTesting import mozilla.components.browser.state.selector.findCustomTab @@ -24,6 +25,8 @@ const val EXTRA_IS_SANDBOX_CUSTOM_TAB = "org.mozilla.fenix.customtabs.EXTRA_IS_S */ @Suppress("TooManyFunctions") open class ExternalAppBrowserActivity : HomeActivity() { + var isFinishedAnimating = false + override fun onResume() { super.onResume() @@ -74,4 +77,17 @@ open class ExternalAppBrowserActivity : HomeActivity() { val currentTabUrl = getExternalTab()?.content?.url outContent?.webUri = currentTabUrl?.let { Uri.parse(it) } } + + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + if (!isFinishedAnimating) { + return true + } + + return super.dispatchTouchEvent(ev) + } + + override fun onEnterAnimationComplete() { + super.onEnterAnimationComplete() + isFinishedAnimating = true + } } ===================================== mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java ===================================== @@ -76,6 +76,10 @@ public class IntentUtils { return getSafeIntent(aUri) != null; } + if ("fido".equals(scheme)) { + return false; + } + return true; } ===================================== mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java ===================================== @@ -63,4 +63,10 @@ public class IntentUtilsTest { final String uri = "intent:non_scheme_intent#Intent;end"; assertTrue(IntentUtils.isUriSafeForScheme(uri)); } + + @Test + public void unsafeFidoUri() { + final String uri = "fido:/12345678"; + assertFalse(IntentUtils.isUriSafeForScheme(uri)); + } } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/10ea66… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/10ea66… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-115.21.0esr-13.5-1-build2
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed new tag tor-browser-115.21.0esr-13.5-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-115.21.0esr-13.5-1] 5 commits: Bug 1866661 - Tests, a=dmeehan
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed to branch tor-browser-115.21.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: dc7ca927 by Emma Zuehlcke at 2025-03-02T22:59:10+01:00 Bug 1866661 - Tests, a=dmeehan Differential Revision: https://phabricator.services.mozilla.com/D237737 - - - - - 5f732399 by Rob Wu at 2025-03-02T23:50:30+01:00 Bug 1939087 - Truncate long name and log warning a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D233025 Differential Revision: https://phabricator.services.mozilla.com/D236900 - - - - - 4642da84 by Tom Schuster at 2025-03-02T23:55:34+01:00 Bug 1942022 - Improve the about:protections CSP. r=firefox-desktop-core-reviewers ,mossop Differential Revision: https://phabricator.services.mozilla.com/D234507 - - - - - 5d037355 by Tom Schuster at 2025-03-03T00:00:34+01:00 Bug 1942025 - Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs Differential Revision: https://phabricator.services.mozilla.com/D234508 - - - - - 6b0945a7 by Nazım Can Altınova at 2025-03-03T00:11:34+01:00 Bug 1943912 - Do not reset the chunk manager while shutdown a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D235642 Differential Revision: https://phabricator.services.mozilla.com/D237219 - - - - - 10 changed files: - browser/components/privatebrowsing/content/aboutPrivateBrowsing.html - browser/components/protections/content/protections.html - browser/components/protocolhandler/test/browser/browser_registerProtocolHandler_notification.js - toolkit/components/extensions/Extension.sys.mjs - toolkit/components/extensions/schemas/manifest.json - toolkit/components/extensions/test/xpcshell/test_ext_manifest.js - toolkit/mozapps/extensions/internal/XPIInstall.jsm - toolkit/mozapps/extensions/test/xpcshell/test_locale.js - tools/profiler/gecko/ProfilerChild.cpp - tools/profiler/public/ProfilerChild.h Changes: ===================================== browser/components/privatebrowsing/content/aboutPrivateBrowsing.html ===================================== @@ -10,7 +10,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; img-src chrome: blob:; object-src 'none';" /> <meta name="color-scheme" content="light dark" /> <link rel="icon" href="chrome://browser/skin/privatebrowsing/favicon.svg" /> ===================================== browser/components/protections/content/protections.html ===================================== @@ -8,7 +8,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; object-src 'none'" /> <meta name="color-scheme" content="light dark" /> <link rel="localization" href="branding/brand.ftl" /> ===================================== browser/components/protocolhandler/test/browser/browser_registerProtocolHandler_notification.js ===================================== @@ -6,7 +6,16 @@ const TEST_PATH = getRootDirectory(gTestPath).replace( "chrome://mochitests/content", "https://example.com" ); + +const SECURITY_DELAY = 3000; + add_task(async function () { + // Set a custom, higher security delay for the test to avoid races on slow + // builds. + await SpecialPowers.pushPrefEnv({ + set: [["security.notification_enable_delay", SECURITY_DELAY]], + }); + let notificationValue = "Protocol Registration: web+testprotocol"; let testURI = TEST_PATH + "browser_registerProtocolHandler_notification.html"; @@ -58,4 +67,16 @@ add_task(async function () { let button = buttons[0]; isnot(button.label, null, "We expect the add button to have a label."); todo(button.accesskey, "We expect the add button to have a accesskey."); + + ok(button.disabled, "We expect the button to be disabled initially."); + + let timeoutMS = SECURITY_DELAY + 100; + info(`Wait ${timeoutMS}ms for the button to enable.`); + // eslint-disable-next-line mozilla/no-arbitrary-setTimeout + await new Promise(resolve => setTimeout(resolve, SECURITY_DELAY + 100)); + + ok( + !button.disabled, + "We expect the button to be enabled after the security delay." + ); }); ===================================== toolkit/components/extensions/Extension.sys.mjs ===================================== @@ -1367,6 +1367,17 @@ export class ExtensionData { ); } + // AMO enforces a maximum length of 45 on the name since at least 2017, via + // https://github.com/mozilla/addons-linter/blame/c4507688899aaafe29c522f1b1ae… + // added in https://github.com/mozilla/addons-linter/pull/1169 + // To avoid breaking add-ons that do not go through AMO (e.g. temporarily + // loaded extensions), we enforce the limit by truncating and warning if + // needed, instead enforcing a maxLength on "name" in schemas/manifest.json. + // + // We set the limit to 75, which is a safe limit that matches the CWS, + // see https://bugzilla.mozilla.org/show_bug.cgi?id=1939087#c5 + static EXT_NAME_MAX_LEN = 75; + async initializeAddonTypeAndID() { if (this.type) { // Already initialized. @@ -1486,6 +1497,14 @@ export class ExtensionData { } } + if (manifest.name.length > ExtensionData.EXT_NAME_MAX_LEN) { + // Truncate and warn - see comment in EXT_NAME_MAX_LEN. + manifest.name = manifest.name.slice(0, ExtensionData.EXT_NAME_MAX_LEN); + this.manifestWarning( + `Warning processing "name": must be shorter than ${ExtensionData.EXT_NAME_MAX_LEN}` + ); + } + if ( this.manifestVersion < 3 && manifest.background && ===================================== toolkit/components/extensions/schemas/manifest.json ===================================== @@ -29,6 +29,7 @@ "name": { "type": "string", + "description": "Name must be at least 2, at should be at most 75 characters", "optional": false, "preprocess": "localize" }, ===================================== toolkit/components/extensions/test/xpcshell/test_ext_manifest.js ===================================== @@ -156,6 +156,28 @@ add_task( } ); +add_task(async function test_name_too_long() { + let extension = ExtensionTestUtils.loadExtension({ + manifest: { + // This length is 80, which exceeds ExtensionData.EXT_NAME_MAX_LEN: + name: "123456789_".repeat(8), + }, + }); + await extension.startup(); + equal( + extension.extension.name, + "123456789_123456789_123456789_123456789_123456789_123456789_123456789_12345", + "Name should be truncated" + ); + Assert.deepEqual( + extension.extension.warnings, + ['Reading manifest: Warning processing "name": must be shorter than 75'], + "Expected error message when the name is too long" + ); + + await extension.unload(); +}); + add_task(async function test_simpler_version_format() { const TEST_CASES = [ // Valid cases ===================================== toolkit/mozapps/extensions/internal/XPIInstall.jsm ===================================== @@ -560,6 +560,11 @@ async function loadManifestFromWebManifest(aPackage, aLocation) { contributors: null, locales: [aLocale], }; + if (result.name.length > lazy.ExtensionData.EXT_NAME_MAX_LEN) { + // See comment at EXT_NAME_MAX_LEN in Extension.sys.mjs. + logger.warn(`Truncating add-on name ${addon.id} for locale ${aLocale}`); + result.name = result.name.slice(0, lazy.ExtensionData.EXT_NAME_MAX_LEN); + } return result; } ===================================== toolkit/mozapps/extensions/test/xpcshell/test_locale.js ===================================== @@ -51,6 +51,13 @@ add_task(async function test_1() { description: "name", }, }, + "_locales/es-ES/messages.json": { + name: { + // This length is 80, which exceeds ExtensionData.EXT_NAME_MAX_LEN: + message: "123456789_".repeat(8), + description: "name with 80 chars, should truncate to 75", + }, + }, }, }); @@ -101,3 +108,18 @@ add_task(async function test_6() { await addon.enable(); }); + +add_task(async function test_name_too_long() { + await restartWithLocales(["es-ES"]); + + let addon = await AddonManager.getAddonByID("addon1(a)tests.mozilla.org"); + Assert.notEqual(addon, null); + + Assert.equal( + addon.name, + "123456789_123456789_123456789_123456789_123456789_123456789_123456789_12345", + "Name should be truncated" + ); + + await addon.enable(); +}); ===================================== tools/profiler/gecko/ProfilerChild.cpp ===================================== @@ -139,6 +139,12 @@ void ProfilerChild::SetupChunkManager() { }); } +/* static */ void ProfilerChild::ClearPendingUpdate() { + auto lockedUpdate = sPendingChunkManagerUpdate.Lock(); + lockedUpdate->mProfilerChild = nullptr; + lockedUpdate->mUpdate.Clear(); +} + void ProfilerChild::ResetChunkManager() { if (!mChunkManager) { return; @@ -149,9 +155,7 @@ void ProfilerChild::ResetChunkManager() { mChunkManager->SetUpdateCallback({}); // Clear the pending update. - auto lockedUpdate = sPendingChunkManagerUpdate.Lock(); - lockedUpdate->mProfilerChild = nullptr; - lockedUpdate->mUpdate.Clear(); + ClearPendingUpdate(); // And process a final update right now. ProcessChunkManagerUpdate( ProfileBufferControlledChunkManager::Update(nullptr)); @@ -483,7 +487,7 @@ void ProfilerChild::ActorDestroy(ActorDestroyReason aActorDestroyReason) { } void ProfilerChild::Destroy() { - ResetChunkManager(); + ClearPendingUpdate(); if (!mDestroyed) { Close(); } ===================================== tools/profiler/public/ProfilerChild.h ===================================== @@ -81,6 +81,8 @@ class ProfilerChild final : public PProfilerChild, void ProcessChunkManagerUpdate( ProfileBufferControlledChunkManager::Update&& aUpdate); + static void ClearPendingUpdate(); + static void GatherProfileThreadFunction(void* already_AddRefedParameters); nsCOMPtr<nsIThread> mThread; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/48d984… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/48d984… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Deleted branch sec/tor-browser-115.21.0esr-13.5-1
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 deleted branch sec/tor-browser-115.21.0esr-13.5-1 at The Tor Project / Applications / Tor Browser -- You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new branch sec/tor-browser-115.21.0esr-13.5-1
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed new branch sec/tor-browser-115.21.0esr-13.5-1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/sec/tor-b… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-128.8.0esr-14.0-1-build2
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed new tag tor-browser-128.8.0esr-14.0-1-build2 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-128.8.0esr-14.0-1] 5 commits: Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp]
by ma1 (＠ma1) 03 Mar '25

03 Mar '25

ma1 pushed to branch tor-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Tor Browser Commits: eb2f9e50 by Tara at 2025-03-02T23:38:07+01:00 Bug 1908488 - Improve dialogs. r=android-reviewers,gmalekpour, a=dmeehan [bp] Differential Revision: https://phabricator.services.mozilla.com/D236606 - - - - - 913be926 by John Schanck at 2025-03-02T23:42:15+01:00 Bug 1922357 - disallow the fido: URI scheme. a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D237313 Differential Revision: https://phabricator.services.mozilla.com/D238681 - - - - - 6eb75b58 by Jeff Boek at 2025-03-02T23:44:03+01:00 Bug 1928334 - Handles animating activities a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D238342 Differential Revision: https://phabricator.services.mozilla.com/D238845 - - - - - d7bd10bb by Tom Schuster at 2025-03-02T23:54:33+01:00 Bug 1942022 - Improve the about:protections CSP. r=firefox-desktop-core-reviewers ,mossop Differential Revision: https://phabricator.services.mozilla.com/D234507 - - - - - fada429d by Tom Schuster at 2025-03-02T23:59:43+01:00 Bug 1942025 - Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs Differential Revision: https://phabricator.services.mozilla.com/D234508 - - - - - 11 changed files: - browser/components/privatebrowsing/content/aboutPrivateBrowsing.html - browser/components/protections/content/protections.html - mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt - mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt - mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt - mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt - mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt - mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt - mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java - mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java Changes: ===================================== browser/components/privatebrowsing/content/aboutPrivateBrowsing.html ===================================== @@ -10,7 +10,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; img-src chrome: blob:; object-src 'none';" /> <meta name="color-scheme" content="light dark" /> <link rel="icon" href="chrome://browser/skin/privatebrowsing/favicon.svg" /> ===================================== browser/components/protections/content/protections.html ===================================== @@ -8,7 +8,7 @@ <meta charset="utf-8" /> <meta http-equiv="Content-Security-Policy" - content="default-src chrome: blob:; object-src 'none'" + content="default-src chrome:; object-src 'none'" /> <meta name="color-scheme" content="light dark" /> <link rel="localization" href="branding/brand.ftl" /> ===================================== mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt ===================================== @@ -1822,7 +1822,7 @@ class GeckoEngineSession( internal const val ABOUT_BLANK = "about:blank" internal const val JS_SCHEME = "javascript" internal val BLOCKED_SCHEMES = - listOf("file", "resource", JS_SCHEME) // See 1684761 and 1684947 + listOf("file", "resource", "fido", JS_SCHEME) // See 1684761 and 1684947 /** * Provides an ErrorType corresponding to the error code provided. ===================================== mobile/android/android-components/components/browser/engine-gecko/src/test/java/mozilla/components/browser/engine/gecko/GeckoEngineSessionTest.kt ===================================== @@ -631,6 +631,11 @@ class GeckoEngineSessionTest { engineSession.loadUrl("RESOURCE://package/test.text") verify(geckoSession, never()).load(GeckoSession.Loader().uri("resource://package/test.text")) verify(geckoSession, never()).load(GeckoSession.Loader().uri("RESOURCE://package/test.text")) + + engineSession.loadUrl("fido:/12345678") + engineSession.loadUrl("FIDO:/12345678") + verify(geckoSession, never()).load(GeckoSession.Loader().uri("fido:/12345678")) + verify(geckoSession, never()).load(GeckoSession.Loader().uri("FIDO:/12345678")) } @Test ===================================== mobile/android/android-components/components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt ===================================== @@ -314,6 +314,7 @@ class AppLinksUseCases( "https", "moz-extension", "moz-safe-about", "resource", "view-source", "ws", "wss", "blob", ) - internal val ALWAYS_DENY_SCHEMES: Set<String> = setOf("jar", "file", "javascript", "data", "about", "content") + internal val ALWAYS_DENY_SCHEMES: Set<String> = + setOf("jar", "file", "javascript", "data", "about", "content", "fido") } } ===================================== mobile/android/android-components/components/feature/app-links/src/test/java/mozilla/components/feature/app/links/AppLinksUseCasesTest.kt ===================================== @@ -47,6 +47,7 @@ class AppLinksUseCasesTest { private val javascriptUrl = "javascript:'hello, world'" private val jarUrl = "jar:file://some/path/test.html" private val contentUrl = "content://media/external_primary/downloads/12345" + private val fidoPath = "fido:12345678" private val fileType = "audio/mpeg" private val layerUrl = "https://example.com" private val layerPackage = "com.example.app" @@ -215,6 +216,15 @@ class AppLinksUseCasesTest { assertFalse(redirect.isRedirect()) } + @Test + fun `A fido url is not an app link`() { + val context = createContext(Triple(fidoPath, appPackage, "")) + val subject = AppLinksUseCases(context, { true }) + + val redirect = subject.interceptedAppLinkRedirect(fidoPath) + assertFalse(redirect.isRedirect()) + } + @Test fun `Will not redirect app link if browser option set to false and scheme is supported`() { val context = createContext(Triple(appUrl, appPackage, "")) ===================================== mobile/android/android-components/components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptFeature.kt ===================================== @@ -9,6 +9,7 @@ import android.content.Intent import androidx.annotation.VisibleForTesting import androidx.annotation.VisibleForTesting.Companion.PRIVATE import androidx.core.view.isVisible +import androidx.fragment.app.DialogFragment import androidx.fragment.app.Fragment import androidx.fragment.app.FragmentManager import kotlinx.coroutines.CoroutineScope @@ -1094,7 +1095,15 @@ class PromptFeature private constructor( emitPromptDismissedFact(promptName = promptRequest::class.simpleName.ifNullOrEmpty { "" }) } + @VisibleForTesting + internal fun redirectDialogFragmentIsActive() = + (fragmentManager.findFragmentByTag("SHOULD_OPEN_APP_LINK_PROMPT_DIALOG") as? DialogFragment) != null + private fun canShowThisPrompt(promptRequest: PromptRequest): Boolean { + if (redirectDialogFragmentIsActive()) { + return false + } + return when (promptRequest) { is SingleChoice, is MultipleChoice, ===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/HomeActivity.kt ===================================== @@ -903,7 +903,7 @@ open class HomeActivity : LocaleAwareAppCompatActivity(), NavHostActivity, TorIn return false } - final override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { ProfilerMarkers.addForDispatchTouchEvent(components.core.engine.profiler, ev) return super.dispatchTouchEvent(ev) } ===================================== mobile/android/fenix/app/src/main/java/org/mozilla/fenix/customtabs/ExternalAppBrowserActivity.kt ===================================== @@ -7,6 +7,7 @@ package org.mozilla.fenix.customtabs import android.app.assist.AssistContent import android.net.Uri import android.os.Build +import android.view.MotionEvent import androidx.annotation.RequiresApi import androidx.annotation.VisibleForTesting import mozilla.components.browser.state.selector.findCustomTab @@ -24,6 +25,8 @@ const val EXTRA_IS_SANDBOX_CUSTOM_TAB = "org.mozilla.fenix.customtabs.EXTRA_IS_S */ @Suppress("TooManyFunctions") open class ExternalAppBrowserActivity : HomeActivity() { + var isFinishedAnimating = false + override fun onResume() { super.onResume() @@ -74,4 +77,17 @@ open class ExternalAppBrowserActivity : HomeActivity() { val currentTabUrl = getExternalTab()?.content?.url outContent?.webUri = currentTabUrl?.let { Uri.parse(it) } } + + override fun dispatchTouchEvent(ev: MotionEvent?): Boolean { + if (!isFinishedAnimating) { + return true + } + + return super.dispatchTouchEvent(ev) + } + + override fun onEnterAnimationComplete() { + super.onEnterAnimationComplete() + isFinishedAnimating = true + } } ===================================== mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/IntentUtils.java ===================================== @@ -76,6 +76,10 @@ public class IntentUtils { return getSafeIntent(aUri) != null; } + if ("fido".equals(scheme)) { + return false; + } + return true; } ===================================== mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/IntentUtilsTest.java ===================================== @@ -63,4 +63,10 @@ public class IntentUtilsTest { final String uri = "intent:non_scheme_intent#Intent;end"; assertTrue(IntentUtils.isUriSafeForScheme(uri)); } + + @Test + public void unsafeFidoUri() { + final String uri = "fido:/12345678"; + assertFalse(IntentUtils.isUriSafeForScheme(uri)); + } } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/62d35a… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/62d35a… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag tor-browser-115.21.0esr-13.5-1-build1
by ma1 (＠ma1) 27 Feb '25

27 Feb '25

ma1 pushed new tag tor-browser-115.21.0esr-13.5-1-build1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/tor-brows… You're receiving this email because of your account on gitlab.torproject.org.

1 0