Tor Browser 12.0a5 is now available from the Tor Browser download page and also from our distribution directory: - https://www.torproject.org/dist/torbrowser/12.0a5/ Tor Browser 12.0a5 updates Firefox on Android, Windows, macOS, and Linux to 102.5.0esr. This version includes important security updates to Firefox and GeckoView. Tor Browser 12.0a5 backports the following security updates from Firefox 107 to Firefox ESR 102.5 on Android: CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs # Major Changes since 11.5 This is the final planned alpha release before 12.0 stable. We have made a lot of changes over the past several months both large and small, and would like to encourage alpha users to test the following features and report any issues you discover. ## Universal macOS packages This is the first universal package release of Tor Browser for macOS. Now Tor Browser should run natively for macOS users, regardless of whether they are running on older x86_64 devices or on newer Apple M1 aarch64 devices. **What to test:** Users with existing x86_64 macOS installs should receive an automatic update to the new universal package without any loss of functionality. The universal dmg downloaded from the Tor Project website should continue to work for macOS users on both x86_64 and aarch64 platforms. We would also appreciate if macOS users attempted a build-to-build upgrade from an older version of Tor Browser Alpha to help us validate this update path. Once installed, macOS users using aarch64-based Macs (i.e. those with Apple Silicon) can verify whether Tor Browser is running natively by following these steps: 1. Open the Activity Monitor 2. Search for "Tor Browser" within the CPU tab. 3. Should Tor Browser read "Apple" under the Kind column, you are successfully running the native Apple Silicon build. ## Multi-locale bundles (Desktop) As of Tor Browser 12.0a4, all supported languages are now included in a single bundle, and can be changed without requiring additional downloads via the Language menu in General settings on the about:preferences page. **What to test:** Tor Browser Alpha should default to your system language on first launch if it matches a language we support. Alpha testers are also encouraged to test changing language within about:preferences#general, and to report any new bugs with localization in general (in particular instances of 'Firefox' appearing instead of 'Tor Browser' or other similar branding issues). We would also appreciate if users on all our Desktop platforms attempted a build-to-build upgrade from an older version of Tor Browser Alpha to help us validate the update path. ## Unified Español locale (Desktop and Android) Previous versions of Tor Browser Alpha were available in both "es" and "es-AR" (Español Argentina) locales. As of Tor Browser, 12.0a4 these have been unified into a single Spanish locale instead. **What to test:** Alpha testers who use the "es-AR" locale should be automatically switched to "es-ES" after updating. ## New supported locales (Ukranian and Albanian) We have added support for both Ukranian and Albanian languages. **What to test:** Alpha testers who use the "uk" and "sq" locales should try them on both Desktop (using the language picker in about:preferences#general) and Android (using the options in Settings > Language). ## tor-launcher migration (Desktop) Parts of the code that power tor-launcher – which starts tor within Tor Browser – have been refactored. Although this work doesn't include any changes to the user experience, those who run non-standard Tor Browser setups are encouraged to test 12.0a5 on their systems. **What to test:** Alpha testers who run non-standard Tor Browser setups (including, but not limited to, those who use system tor in conjunction with Tor Browser and those with specific network and bridge settings) should test starting and connecting to Tor, and report any unexpected error messages they encounter. All of the previously supported environment variables should still behave the same way as in the stable series. ## Onion Auth fixes (Desktop) Tor Browser 12.0a4 included two fixes to Onion Service client authorization: 1. A fix to the auth window itself, which was broken in Alpha due to a regression caused by the esr102 transition: tor-browser#41344 2. Another fix to a longstanding issue with Onion Auth failing on subdomains, which has also been backported to 11.5.5: tor-browser#40465 **What to test:** Accessing client authorized Onion Services on both top-level and subdomains. ## Always prioritize .onion sites (Android) Android users can now enable automatic Onion-Location redirects by switching "Prioritize .onion sites" within Privacy and Security settings. However, we have not yet implemented the url bar UI which we have in Tor Browser for Desktop. **What to test:** Enable "Prioritize .onion sites" within settings, visit a website that supports Onion-Location, and verify that you were redirected to the website's .onion address. The full changelog since Tor Browser 12.0a4 is: All Platforms Update Translations Update OpenSSL to 1.1.1s Update NoScript to 11.4.13 Update tor to 0.4.7.11 Update zlib to 1.2.13 Bug tor-browser#17228: Consideration for disabling/trimming referrers within TBB Bug tor-browser#27258: font whitelist means we don't have to set gfx.downloadable_fonts.fallback_delay Bug tor-browser#40183: Consider disabling TLS ciphersuites containing SHA-1 Bug tor-browser-build#40622: Update obfs4proxy to 0.0.14 in Tor Browser Bug tor-browser-build#40674: Add Secondary Snowflake Bridge Bug tor-browser#40783: Review 000-tor-browser.js and 001-base-profile.js for 102 Bug tor-browser#41406: Do not define --without-wasm-sandboxed-libraries if WASI_SYSROOT is defined Bug tor-browser#41420: Remove brand.dtd customization on nightly Bug tor-browser#41457: Remove more Mozilla permissions Bug tor-browser#41460: Migrate new identity and security level preferences in 11.5.8 Bug tor-browser#41473: Add support for Albanian (sq) Windows + macOS + Linux Update Firefox to 102.5.0esr Bug tor-browser#31064: Letterboxing is enabled in priviledged contexts too Bug tor-browser#31821: reapply window.open() clamping Bug tor-browser#32411: Consider adding about:tor and others to the list of pages that do not need letterboxing Bug tor-browser#40081: Letterboxing since 32220 affected by layout.css.devPixelsPerPx Bug tor-browser#40767: 1px white border visible on fullscreen video playback Bug tor-browser#41293: Incomplete branding in German with 12.0a2 Bug tor-browser#41378: Inform users when Tor Browser sets their language automatically Bug tor-browser#41409: Circuit display is broken on Tails Bug tor-browser#41410: Opening and closing HTTPS-Only settings make the identity panel shrink Bug tor-browser#41412: New Identity shows "Tor Browser" instead of "Restart Tor Browser" in unstranslated locales Bug tor-browser#41417: Prompt users to restart after changing language Bug tor-browser#41429: TorConnect and TorSettings are initialized twice Bug tor-browser#41433: Should letterboxing take in account optional components' heights? Bug tor-browser#41434: Letterboxing bypass through secondary tab (popup/popunder...) Bug tor-browser#41436: The new tor-launcher handles arrays in the wrong way Bug tor-browser#41437: Use the new media query for dark theme for the "Connected" pill in bridges Bug tor-browser#41449: Onion authentication's learn more should link to the offline manual Bug tor-browser#41451: Still using requestedLocales in torbutton Bug tor-browser#41455: Tor Browser dev build cannot launch tor Bug tor-browser#41458: Prevent mach package-multi-locale from actually creating a package Bug tor-browser#41462: Add anchors to bridge-moji and onion authentication entries Bug tor-browser#41498: The Help panel is empty in 12.0a4 Windows Bug tor-browser#41426: base-browser nightly fails to build for windows-i686 macOS Bug tor-browser#23451: Adapt font whitelist to changes on macOS (zh locales) Bug tor-browser-build#40687: macOS nightly builds with packaged locales fail Android Update GeckoView to 102.5.0esr Bug tor-browser#40014: Check which of our mobile prefs and configuration changes are still valid for GeckoView Bug tor-browser#41471: Update targetSdkVersion to 31 Bug tor-browser#41481: Tor Browser 11.5.9 for Android crashes on launch on Android 12+ after targetSdkVersion update Build System All Platforms Update Go to 1.19.3 Bug tor-browser-build#40675: Update tb_builders list in set-config Bug tor-browser-build#40667: Update Node.js to 12.22.12 Bug tor-browser-build#40690: Revert fix for zlib build break Bug tor-browser#41446: Multi-lingual alpha bundles break make fetch Windows + macOS + Linux Bug tor-browser-build#40503: Update Release Prep issue template with base-browser and privacy browser changes Bug tor-browser-build#40641: Fetch Firefox locales from l10n-central Bug tor-browser-build#40685: Remove targets/nightly/var/mar_locales from rbm.conf Bug tor-browser-build#40686: Add a temporary project to fetch Fluent tranlations for base-browser Bug tor-browser-build#40691: Update firefox config to point to base-browser branch rather than a particular tag in nightly Bug tor-browser-build#40699: Fix input_files in projects/firefox-l10n/config Windows Bug tor-browser-build#40666: Fix compiler depedencies for Firefox on Windows macOS Bug tor-browser-build#40067: Rename "OS X" to "macOS" Bug tor-browser-build#40439: Create universal x86-64/arm64 mac builds