richard pushed to branch main at The Tor Project / Applications / tor-browser-spec

Commits:

1 changed file:

Changes:

  • audits/FF105_AUDIT
    1
    +# General
    
    2
    +
    
    3
    +The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
    
    4
    +
    
    5
    +The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
    
    6
    +
    
    7
    +`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
    
    8
    +
    
    9
    +## Firefox: https://github.com/mozilla/gecko-dev.git
    
    10
    +
    
    11
    +- Start: `a8c31da1c243a855de8c3b241a437dd1b65684d5` ( `FIREFOX_104_0_2_RELEASE` )
    
    12
    +- End:   `2dd649f09f70ec5b9304d62daeb427a86bbc5a36`  ( `FIREFOX_105_0_3_RELEASE` )
    
    13
    +
    
    14
    +### Languages:
    
    15
    +- [x] java
    
    16
    +- [x] cpp
    
    17
    +- [x] js
    
    18
    +- [x] rust
    
    19
    +
    
    20
    +Nothing of interest (using `code_audit.sh`)
    
    21
    +
    
    22
    +---
    
    23
    +
    
    24
    +## Application Services: https://github.com/mozilla/application-services.git
    
    25
    +
    
    26
    +- Start: `78b165b798118e9b5fa62af07aa44d663f386492`  ( `v94.1.0` )
    
    27
    +- End:   `be8254df118b2fc2aae726e1d13ca4c982bec920`  ( `v94.3.1` )
    
    28
    +
    
    29
    +### Languages:
    
    30
    +- [x] java
    
    31
    +- [x] cpp
    
    32
    +- [x] js
    
    33
    +- [x] rust
    
    34
    +
    
    35
    +Nothing of interest (using `code_audit.sh`)
    
    36
    +
    
    37
    +## Android Components: https://github.com/mozilla-mobile/android-components.git
    
    38
    +
    
    39
    +- Start: `b3e0289b3f07929c0403ac6e672c88b5db079748`
    
    40
    +- End:   `658c2d239f9aef5927f654aa36a0b0739b116d92`  ( `v105.0.8` )
    
    41
    +
    
    42
    +### Languages:
    
    43
    +- [x] java
    
    44
    +- [x] cpp
    
    45
    +- [x] js
    
    46
    +- [x] rust
    
    47
    +
    
    48
    +Nothing of interest (using `code_audit.sh`)
    
    49
    +
    
    50
    +## Fenix: https://github.com/mozilla-mobile/fenix.git
    
    51
    +
    
    52
    +- Start: `a5d13e2ef26d4eb98a32c94b6c6530771e90cd56` ( `v105.0b1` )
    
    53
    +- End:   `01fbfd63743f30ebca31bbfb775bddef94a01a3e`  ( `v105.2.0` )
    
    54
    +
    
    55
    +### Languages:
    
    56
    +- [x] java
    
    57
    +- [x] cpp
    
    58
    +- [x] js
    
    59
    +- [x] rust
    
    60
    +
    
    61
    +Nothing of interest (using `code_audit.sh`)
    
    62
    +
    
    63
    +## Ticket Review ##
    
    64
    +
    
    65
    +Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=105%20Branch&order=priority%2Cbug_severity&limit=0`
    
    66
    +
    
    67
    +#### Problematic Issues
    
    68
    +
    
    69
    +- **Use the WER runtime exception module to catch early crashes** https://bugzilla.mozilla.org/show_bug.cgi?id=1682520
    
    70
    +  - *RESOLUTION*: no new functionality here, just making it work better by moving the registration earlier in the Firefox boot process
    
    71
    +- **Add a pref to disable Spectre mitigations for Fission web content processes** https://bugzilla.mozilla.org/show_bug.cgi?id=1774178
    
    72
    +- **Add Surrogate COM Server to handle native Windows notifications when Firefox is closed.** https://bugzilla.mozilla.org/show_bug.cgi?id=1774083
    
    73
    +  - *RESOLUTOIN* COM sever registration happens in the official firefox installer which we do not use, so nothing to do here
    
    74
    +- **Add a cookie banner service to automatically handle website cookie banners** https://bugzilla.mozilla.org/show_bug.cgi?id=1783019
    
    75
    +  - *RESOLUTION* disabled this feature until fully audit, may bring back in the 13.5 time-frame
    
    76
    +- **Add a locale parameter to the text recognition API** https://bugzilla.mozilla.org/show_bug.cgi?id=1782579
    
    77
    +  - *RESOLUTION* we'v diabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
    
    78
    +- **Broken since Firefox 102.0: no instant fallback to direct connection when proxy became unreachable while runtime** https://bugzilla.mozilla.org/show_bug.cgi?id=1779005
    
    79
    +  - *RESOLUTION*: Tor Browser uses explicitly configured proxy settings so this auto-detect system is no used/does not apply to us
    
    80
    +- **On systems with IPv6 preferred DNS resolution clients will fail to connect when "localhost" is used as host for the WebSocket server** https://bugzilla.mozilla.org/show_bug.cgi?id=1769994
    
    81
    +- **Hide the text recognition context menu if the macOS version doesn't support APIs** https://bugzilla.mozilla.org/show_bug.cgi?id=1782981
    
    82
    +  - *RESOLUTION* we'v diabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
    
    83
    +- **Implement a context menu modal for text recognition** https://bugzilla.mozilla.org/show_bug.cgi?id=1782578
    
    84
    +  - *RESOLUTION* we've disabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
    
    85
    +## Export
    
    86
    +- [ ] Export Report and save to `tor-browser-spec/audits`
    \ No newline at end of file