Pier Angelo Vendrame pushed to branch base-browser-115.4.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits: 2d2fd4cb by Pier Angelo Vendrame at 2023-11-16T13:36:51+01:00 Bug 1849186 - Add a preference not to expose the content title in the window title. r=Gijs,tabbrowser-reviewers,dao

Differential Revision: https://phabricator.services.mozilla.com/D190496

- - - - - c6af08e3 by Pier Angelo Vendrame at 2023-11-16T13:36:52+01:00 fixup! Firefox preference overrides.

Bug 41988: Do not expose page titles in winow title

- - - - -

4 changed files:

- browser/app/profile/001-base-profile.js - browser/app/profile/firefox.js - browser/base/content/tabbrowser.js - browser/components/privatebrowsing/test/browser/browser_privatebrowsing_windowtitle.js

Changes:

===================================== browser/app/profile/001-base-profile.js ===================================== @@ -86,6 +86,12 @@ pref("browser.sessionstore.resume_from_crash", false); // Disable capturing thumbnails (tor-browser#41595) // Also not needed in PBM at the moment. pref("browser.pagethumbnails.capturing_disabled", true); +// tor-browser#41988: Remove page titles from window titles to prevent possible +// disk leaks, e.g., in system logs. +// For example, it happened that GNOME shell logged the window name that caused +// JS errors/unexpected conditions for unrelated issues. +pref("privacy.exposeContentTitleInWindow", false); +pref("privacy.exposeContentTitleInWindow.pbm", false);

// Empty clipboard content from private windows on exit (tor-browser#42154) pref("browser.privatebrowsing.preserveClipboard", false);

===================================== browser/app/profile/firefox.js ===================================== @@ -968,7 +968,7 @@ pref("privacy.panicButton.enabled", true); // Time until temporary permissions expire, in ms pref("privacy.temporary_permission_expire_time_ms", 3600000);

-// Enables protection mechanism against password spoofing for cross domain auh requests +// Enables protection mechanism against password spoofing for cross domain auth requests // See bug 791594 pref("privacy.authPromptSpoofingProtection", true);

@@ -2104,6 +2104,12 @@ pref("privacy.webrtc.sharedTabWarning", false); // before navigating to the actual meeting room page. Doesn't survive tab close. pref("privacy.webrtc.deviceGracePeriodTimeoutMs", 3600000);

+// Enable including the content in the window title. +// PBM users might want to disable this to avoid a possible source of disk +// leaks. +pref("privacy.exposeContentTitleInWindow", true); +pref("privacy.exposeContentTitleInWindow.pbm", true); + // Start the browser in e10s mode pref("browser.tabs.remote.autostart", true); pref("browser.tabs.remote.desktopbehavior", true);

===================================== browser/base/content/tabbrowser.js ===================================== @@ -102,6 +102,18 @@ true ); }); + XPCOMUtils.defineLazyPreferenceGetter( + this, + "_shouldExposeContentTitle", + "privacy.exposeContentTitleInWindow", + true + ); + XPCOMUtils.defineLazyPreferenceGetter( + this, + "_shouldExposeContentTitlePbm", + "privacy.exposeContentTitleInWindow.pbm", + true + );

if (AppConstants.MOZ_CRASHREPORTER) { ChromeUtils.defineModuleGetter( @@ -1072,6 +1084,19 @@ getWindowTitleForBrowser(aBrowser) { let docElement = document.documentElement; let title = ""; + let dataSuffix = + docElement.getAttribute("privatebrowsingmode") == "temporary" + ? "Private" + : "Default"; + let defaultTitle = docElement.dataset["title" + dataSuffix]; + + if ( + !this._shouldExposeContentTitle || + (PrivateBrowsingUtils.isWindowPrivate(window) && + !this._shouldExposeContentTitlePbm) + ) { + return defaultTitle; + }

// If location bar is hidden and the URL type supports a host, // add the scheme and host to the title to prevent spoofing. @@ -1109,10 +1134,6 @@ title += tab.getAttribute("label").replace(/\0/g, ""); }

- let dataSuffix = - docElement.getAttribute("privatebrowsingmode") == "temporary" - ? "Private" - : "Default"; if (title) { // We're using a function rather than just using `title` as the // new substring to avoid `$$`, `$'` etc. having a special @@ -1125,7 +1146,7 @@ ); }

- return docElement.dataset["title" + dataSuffix]; + return defaultTitle; },

updateTitlebar() {

===================================== browser/components/privatebrowsing/test/browser/browser_privatebrowsing_windowtitle.js ===================================== @@ -107,4 +107,34 @@ add_task(async function test() { true, pb_about_pb_title ); + + await SpecialPowers.pushPrefEnv({ + set: [["privacy.exposeContentTitleInWindow.pbm", false]], + }); + await testTabTitle(await openWin(false), testPageURL, false, page_with_title); + await testTabTitle( + await openWin(true), + testPageURL, + true, + pb_page_without_title + ); + await SpecialPowers.pushPrefEnv({ + set: [ + ["privacy.exposeContentTitleInWindow", false], + ["privacy.exposeContentTitleInWindow.pbm", true], + ], + }); + await testTabTitle( + await openWin(false), + testPageURL, + false, + page_without_title + ); + // The generic preference set to false is intended to override the PBM one + await testTabTitle( + await openWin(true), + testPageURL, + true, + pb_page_without_title + ); });

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/d254715...