Pier Angelo Vendrame pushed to branch mullvad-browser-115.8.0esr-13.5-1 at The Tor Project / Applications / Mullvad Browser
Commits:
ed66bd0f by Pier Angelo Vendrame at 2024-02-29T14:09:03+01:00
fixup! MB 38: Mullvad Browser configuration
s/privacy-browser/mullvad-browser/
- - - - -
b9146e90 by Pier Angelo Vendrame at 2024-02-29T14:09:08+01:00
fixup! MB 112: Updater customization for Mullvad Browser
s/privacy-browser/mullvad-browser/
- - - - -
e473a103 by Pier Angelo Vendrame at 2024-02-29T14:09:08+01:00
MB 234: Disable OS spoofing in HTTP User-Agent.
This commits makes it possible to disable OS spoofing in the HTTP
User-Agent header, to see if matching header and JS property improve
usability.
- - - - -
3 changed files:
- browser/app/profile/000-mullvad-browser.js
- netwerk/protocol/http/nsHttpHandler.cpp
- toolkit/components/resistfingerprinting/nsRFPService.cpp
Changes:
=====================================
browser/app/profile/000-mullvad-browser.js
=====================================
@@ -7,23 +7,23 @@ pref("browser.startup.homepage", "about:mullvad-browser");
// a result.
pref("browser.toolbars.bookmarks.visibility", "never");
-// privacy-browser#19: Enable Mullvad's DOH
+// mullvad-browser#19: Enable Mullvad's DOH
pref("network.trr.uri", "https://dns.mullvad.net/dns-query");
pref("network.trr.default_provider_uri", "https://dns.mullvad.net/dns-query");
pref("network.trr.mode", 3);
pref("doh-rollout.provider-list", "[{\"UIName\":\"Mullvad\",\"autoDefault\":true,\"canonicalName\":\"\",\"id\":\"mullvad\",\"last_modified\":0,\"schema\":0,\"uri\":\"https://dns.mullvad.net/dns-query\"},{\"UIName\":\"Mullvad (Ad-blocking)\",\"autoDefault\":false,\"canonicalName\":\"\",\"id\":\"mullvad\",\"last_modified\":0,\"schema\":0,\"uri\":\"https://adblock.dns.mullvad.net/dns-query\"}]");
-// privacy-browser#122: Audit DoH heuristics
+// mullvad-browser#122: Audit DoH heuristics
pref("doh-rollout.disable-heuristics", true);
-// privacy-browser#37: Customization for the about dialog
+// mullvad-browser#37: Customization for the about dialog
pref("app.releaseNotesURL.aboutDialog", "about:blank");
-// privacy-browser#94: Disable legacy global microphone/webcam indicator
+// mullvad-browser#94: Disable legacy global microphone/webcam indicator
// Disable the legacy Firefox Quantum-styled global webcam/microphone indicator in favor of each
// platform's native indicator
pref("privacy.webrtc.legacyGlobalIndicator", false);
-// privacy-browser#87: Windows and Linux need additional work to make the
+// mullvad-browser#87: Windows and Linux need additional work to make the
// default browser choice working.
// We are shipping only the portable versions for the initial release anyway, so
// we leave this popup enabled only on macOS.
@@ -34,7 +34,7 @@ pref("browser.shell.checkDefaultBrowser", false);
// mullvad-browser#228: default to spoof en-US and skip showing the dialog
pref("privacy.spoof_english", 2);
-// privacy-browser#131: Review a few updater preferences
+// mullvad-browser#131: Review a few updater preferences
pref("app.update.notifyDuringDownload", true);
pref("app.update.url.manual", "https://mullvad.net/download/browser");
pref("app.update.url.details", "https://mullvad.net/download/browser");
@@ -45,3 +45,6 @@ pref("app.releaseNotesURL", "https://github.com/mullvad/mullvad-browser/releases
pref("app.releaseNotesURL.aboutDialog", "about:blank");
// point to our feedback url rather than Mozilla's
pref("app.feedback.baseURL", "https://mullvad.net/help/tag/browser/");
+
+// mullvad-browser#234: Do not spoof the OS in the User-Agent header
+pref("privacy.resistFingerprinting.spoofOsInUserAgentHeader", false);
=====================================
netwerk/protocol/http/nsHttpHandler.cpp
=====================================
@@ -497,6 +497,9 @@ nsresult nsHttpHandler::Init() {
// obsService->AddObserver(this, "net:failed-to-process-uri-content", true);
}
+ Preferences::AddWeakObserver(
+ this, "privacy.resistFingerprinting.spoofOsInUserAgentHeader"_ns);
+
MakeNewRequestTokenBucket();
mWifiTickler = new Tickler();
if (NS_FAILED(mWifiTickler->Init())) mWifiTickler = nullptr;
@@ -2071,6 +2074,9 @@ nsHttpHandler::Observe(nsISupports* subject, const char* topic,
// Inform nsIOService that network is tearing down.
gIOService->SetHttpHandlerAlreadyShutingDown();
+ Preferences::RemoveObserver(
+ this, "privacy.resistFingerprinting.spoofOsInUserAgentHeader"_ns);
+
ShutdownConnectionManager();
// need to reset the session start time since cache validation may
@@ -2196,6 +2202,11 @@ nsHttpHandler::Observe(nsISupports* subject, const char* topic,
ShutdownConnectionManager();
mConnMgr = nullptr;
Unused << InitConnectionMgr();
+ } else if (!strcmp(topic, "nsPref:changed") &&
+ !NS_strcmp(
+ data,
+ u"privacy.resistFingerprinting.spoofOsInUserAgentHeader")) {
+ nsRFPService::GetSpoofedUserAgent(mSpoofedUserAgent, true);
}
return NS_OK;
=====================================
toolkit/components/resistfingerprinting/nsRFPService.cpp
=====================================
@@ -939,12 +939,17 @@ void nsRFPService::GetSpoofedUserAgent(nsACString& userAgent,
// https://developer.mozilla.org/en-US/docs/Web/API/NavigatorID/userAgent
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
+ const bool spoofOs =
+ isForHTTPHeader &&
+ Preferences::GetBool(
+ "privacy.resistFingerprinting.spoofOsInUserAgentHeader", true);
+
// These magic numbers are the lengths of the UA string literals below.
// Assume three-digit Firefox version numbers so we have room to grow.
size_t preallocatedLength =
13 +
- (isForHTTPHeader ? mozilla::ArrayLength(SPOOFED_HTTP_UA_OS)
- : mozilla::ArrayLength(SPOOFED_UA_OS)) -
+ (spoofOs ? mozilla::ArrayLength(SPOOFED_HTTP_UA_OS)
+ : mozilla::ArrayLength(SPOOFED_UA_OS)) -
1 + 5 + 3 + 10 + mozilla::ArrayLength(LEGACY_UA_GECKO_TRAIL) - 1 + 9 + 3 +
2;
userAgent.SetCapacity(preallocatedLength);
@@ -954,7 +959,7 @@ void nsRFPService::GetSpoofedUserAgent(nsACString& userAgent,
// "Mozilla/5.0 (%s; rv:%d.0) Gecko/%d Firefox/%d.0"
userAgent.AssignLiteral("Mozilla/5.0 (");
- if (isForHTTPHeader) {
+ if (spoofOs) {
userAgent.AppendLiteral(SPOOFED_HTTP_UA_OS);
} else {
userAgent.AppendLiteral(SPOOFED_UA_OS);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/3b…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/3b…
You're receiving this email because of your account on gitlab.torproject.org.
richard pushed to branch maint-13.0 at The Tor Project / Applications / tor-browser-build
Commits:
02f786b2 by Nicolas Vigier at 2024-02-29T12:41:41+00:00
Bug 41097: authenticode-timestamping.sh: create $tmp_dir with mktemp -d
(cherry picked from commit 800e2fff2d33150beffc086a46921807532bddcc)
- - - - -
1 changed file:
- tools/signing/authenticode-timestamping.sh
Changes:
=====================================
tools/signing/authenticode-timestamping.sh
=====================================
@@ -46,8 +46,8 @@ test -f "$osslsigncode_file" ||
which rename > /dev/null 2>&1 ||
exit_error '`rename` is missing.'
-tmp_dir="$signed_dir/$tbb_version/tmp-timestamp"
-mkdir "$tmp_dir"
+tmp_dir=$(mktemp -d)
+trap "rm -Rf $tmp_dir" EXIT
tar -C "$tmp_dir" -xf "$osslsigncode_file"
export PATH="$PATH:$tmp_dir/osslsigncode/bin"
@@ -64,5 +64,3 @@ do
done
echo "Timestamped $COUNT .exe files, now renaming"
rename -f 's/-timestamped//' *-timestamped
-
-rm -Rf "$tmp_dir"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0…
You're receiving this email because of your account on gitlab.torproject.org.
richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
800e2fff by Nicolas Vigier at 2024-02-29T12:37:42+00:00
Bug 41097: authenticode-timestamping.sh: create $tmp_dir with mktemp -d
- - - - -
1 changed file:
- tools/signing/authenticode-timestamping.sh
Changes:
=====================================
tools/signing/authenticode-timestamping.sh
=====================================
@@ -46,8 +46,8 @@ test -f "$osslsigncode_file" ||
which rename > /dev/null 2>&1 ||
exit_error '`rename` is missing.'
-tmp_dir="$signed_dir/$tbb_version/tmp-timestamp"
-mkdir "$tmp_dir"
+tmp_dir=$(mktemp -d)
+trap "rm -Rf $tmp_dir" EXIT
tar -C "$tmp_dir" -xf "$osslsigncode_file"
export PATH="$PATH:$tmp_dir/osslsigncode/bin"
@@ -64,5 +64,3 @@ do
done
echo "Timestamped $COUNT .exe files, now renaming"
rename -f 's/-timestamped//' *-timestamped
-
-rm -Rf "$tmp_dir"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8…
You're receiving this email because of your account on gitlab.torproject.org.
Pier Angelo Vendrame pushed to branch mullvad-browser-115.8.0esr-13.5-1 at The Tor Project / Applications / Mullvad Browser
Commits:
3b8bacb8 by Pier Angelo Vendrame at 2024-02-29T10:05:37+01:00
fixup! Firefox preference overrides.
Bug 41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a
defense-in-depth.
We will have to revert this during the ESR-transition.
- - - - -
1 changed file:
- browser/app/profile/001-base-profile.js
Changes:
=====================================
browser/app/profile/001-base-profile.js
=====================================
@@ -406,6 +406,9 @@ pref("browser.display.use_system_colors", false);
// Enforce non-native widget theme (true by default, defense in depth).
// Provides a uniform look and feel across platforms. Added with tor-browser#41496.
pref("widget.non-native-theme.enabled", true);
+// tor-browser#41676: Set the TZ environment variable as a defense-in-depth.
+// TODO: Remove this in ESR-128, as it has been removed in 116 with Bug 1837582.
+pref("privacy.resistFingerprinting.testing.setTZtoUTC", true);
// tor-browser#41943: lock and revisit after it gets flipped to true in stable Firefox
pref("javascript.options.spectre.disable_for_isolated_content", false, locked);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/3b8…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/3b8…
You're receiving this email because of your account on gitlab.torproject.org.
Pier Angelo Vendrame pushed to branch base-browser-115.8.0esr-13.5-1 at The Tor Project / Applications / Tor Browser
Commits:
4c125e5a by Pier Angelo Vendrame at 2024-02-29T10:05:12+01:00
fixup! Firefox preference overrides.
Bug 41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a
defense-in-depth.
We will have to revert this during the ESR-transition.
- - - - -
1 changed file:
- browser/app/profile/001-base-profile.js
Changes:
=====================================
browser/app/profile/001-base-profile.js
=====================================
@@ -407,6 +407,9 @@ pref("browser.display.use_system_colors", false);
// Enforce non-native widget theme (true by default, defense in depth).
// Provides a uniform look and feel across platforms. Added with tor-browser#41496.
pref("widget.non-native-theme.enabled", true);
+// tor-browser#41676: Set the TZ environment variable as a defense-in-depth.
+// TODO: Remove this in ESR-128, as it has been removed in 116 with Bug 1837582.
+pref("privacy.resistFingerprinting.testing.setTZtoUTC", true);
// tor-browser#41943: lock and revisit after it gets flipped to true in stable Firefox
pref("javascript.options.spectre.disable_for_isolated_content", false, locked);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/4c125e5…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/4c125e5…
You're receiving this email because of your account on gitlab.torproject.org.
Pier Angelo Vendrame pushed to branch tor-browser-115.8.0esr-13.5-1 at The Tor Project / Applications / Tor Browser
Commits:
5bb3b747 by Pier Angelo Vendrame at 2024-02-28T11:26:08+01:00
fixup! Firefox preference overrides.
Bug 41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a
defense-in-depth.
We will have to revert this during the ESR-transition.
- - - - -
1 changed file:
- browser/app/profile/001-base-profile.js
Changes:
=====================================
browser/app/profile/001-base-profile.js
=====================================
@@ -407,6 +407,9 @@ pref("browser.display.use_system_colors", false);
// Enforce non-native widget theme (true by default, defense in depth).
// Provides a uniform look and feel across platforms. Added with tor-browser#41496.
pref("widget.non-native-theme.enabled", true);
+// tor-browser#41676: Set the TZ environment variable as a defense-in-depth.
+// TODO: Remove this in ESR-128, as it has been removed in 116 with Bug 1837582.
+pref("privacy.resistFingerprinting.testing.setTZtoUTC", true);
// tor-browser#41943: lock and revisit after it gets flipped to true in stable Firefox
pref("javascript.options.spectre.disable_for_isolated_content", false, locked);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5bb3b74…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5bb3b74…
You're receiving this email because of your account on gitlab.torproject.org.
boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
7c9183b0 by Nicolas Vigier at 2024-02-28T16:17:42+01:00
Bug 41093: Unsign APKs before signing them
Use the bspatch file we create during the build to unsign the apk (which
was signed by the QA key) before signing it with the release key.
- - - - -
2 changed files:
- tools/signing/linux-signer-sign-android-apks
- tools/signing/machines-setup/setup-signing-machine
Changes:
=====================================
tools/signing/linux-signer-sign-android-apks
=====================================
@@ -68,14 +68,19 @@ setup_build_tools
mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
-cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk \
+ ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.bspatch \
+ ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
# Sign all packages
for arch in ${ARCHS}; do
qa_apk=${projname}-qa-android-${arch}-${tbb_version}.apk
+ unsigned_apk=${projname}-qa-unsigned-android-${arch}-${tbb_version}.apk
+ unsigned_apk_bspatch=${projname}-qa-unsign-android-${arch}-${tbb_version}.bspatch
signed_apk=${projname}-android-${arch}-${tbb_version}.apk
- sign_apk "$qa_apk" "$signed_apk"
+ bspatch "$qa_apk" "$unsigned_apk" "$unsigned_apk_bspatch"
+ sign_apk "$unsigned_apk" "$signed_apk"
verify_apk "$signed_apk"
cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
done
=====================================
tools/signing/machines-setup/setup-signing-machine
=====================================
@@ -116,7 +116,7 @@ install_packages opensc libengine-pkcs11-openssl
install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
# Install deps for android/apk signing
-install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
+install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless bsdiff
# Install deps for macos-rcodesign signing
install_packages p7zip-full zstd
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7…
You're receiving this email because of your account on gitlab.torproject.org.