commit f4606d1c1c35eb36edf3c7cd6b2904be01f19f32 Author: Richard Pospesel <richard@torproject.org> Date: Fri Jan 25 07:51:14 2019 +0000 Bug 12885: Windows Jump Lists fail for Tor Browser Jumplist entries are stored in a binary file in: %APPDATA%\\Microsoft\Windows\Recent\CustomDestinations\ and has a name in the form [a-f0-9]+.customDestinations-ms The hex at the front is unique per app, and is ultimately derived from something called the 'App User Model ID' (AUMID) via some unknown hashing method. The AUMID is provided as a key when programmatically creating, updating, and deleting a jumplist. The default behaviour in firefox is for the installer to define an AUMID for an app, and save it in the registry so that the jumplist data can be removed by the uninstaller. However, the Tor Browser does not set this (or any other) regkey during installation, so this codepath fails and the app's AUMID is left undefined. As a result the app's AUMID ends up being defined by windows, but unknowable by Tor Browser. This unknown AUMID is used to create and modify the jumplist, but the delete API requires that we provide the app's AUMID explicitly. Since we don't know what the AUMID is (since the expected regkey where it is normally stored does not exist) jumplist deletion will fail and we will leave behind a mostly empty customDestinations-ms file. The name of the file is derived from the binary path, so an enterprising person could reverse engineer how that hex name is calculated, and generate the name for Tor Browser's default Desktop installation path to determine whether a person had used Tor Browser in the past. The 'taskbar.grouping.useprofile' option that is enabled by this patch works around this AUMID problem by having firefox.exe create it's own AUMID based on the profile path (rather than looking for a regkey). This way, if a user goes in and enables and disables jumplist entries, the backing store is properly deleted. Unfortunately, all windows users currently have this file lurking in the above mentioned directory and this patch will not remove it since it was created with an unknown AUMID. However, another patch could be written which goes to that directory and deletes any item containing the 'Tor Browser' string. See bug 28996. --- browser/app/profile/000-tor-browser.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js index 2b238dd87c1b..11027f4c9a3a 100644 --- a/browser/app/profile/000-tor-browser.js +++ b/browser/app/profile/000-tor-browser.js @@ -326,6 +326,18 @@ pref("browser.onboarding.newtour", "welcome,privacy,tor-network,circuit-display, pref("browser.onboarding.updatetour", "welcome,privacy,tor-network,circuit-display,security,expect-differences,onion-services"); pref("browser.onboarding.skip-tour-button.hide", true); +// prefs to disable jump-list entries in the taskbar on Windows (see bug #12885) +#ifdef XP_WIN +// this pref changes the app's set AUMID to be dependent on the profile path, rather than +// attempting to read it from the registry; this is necessary so that the file generated +// by the jumplist system can be properly deleted if it is disabled +pref("taskbar.grouping.useprofile", true); +pref("browser.taskbar.lists.enabled", false); +pref("browser.taskbar.lists.frequent.enabled", false); +pref("browser.taskbar.lists.tasks.enabled", false); +pref("browser.taskbar.lists.recent.enabled", false); +#endif + #ifdef TOR_BROWSER_VERSION #expand pref("torbrowser.version", __TOR_BROWSER_VERSION__); #endif