[tbb-dev] Tor Button Proposal

Igor Oliveira igt0 at torproject.org
Mon Jan 8 17:25:19 UTC 2018 

Howdy,

As many of you know. We are bringing Orfox on par with Tor 
Browser(https://blog.torproject.org/blog/upping-support-mobile-browsing) 
and one of the steps is porting tor button extension to mobile.

That said, I wrote an *initial* 
proposal(https://storm.torproject.org/shared/fchH0_Liol-cWFQwH1dgQsETUC7whKb7Hy46cPYZLrS 
and it is also bellow) about what are the challenges, the approach and 
how we can try to keep as much code from the current extension.

Tor Button Next Proposal

1. Introduction

Tor button, currently, is implemented as a Firefox extension using the 
XPCOM API and XUL markup language that are not supported anymore since 
Firefox 58[1]. This document aims to describe the approach used to 
revitalize the current extension and the changes needed to make it work 
on mobile.

1.1 Design Requirements and Philosophy

The Tor Button requirements and adversary model can be found in two 
separated documents[2][3].

2. Implementation

Instead of an extension, we propose the Tor Button to be integrated 
within the Tor Browser, thus we still can reuse few parts of the current 
extension code such as the components and chrome code.
For the XUL markup language, we also suggest to migrate to XHTML when 
possible.

2.1 Components

This section describes the current components and what changes will be made.

2.1.1 Tor About (contract id: 
@mozilla.org/network/protocol/about;1?what=tor)

Overrides the Firefox/Fennec about page.

We can reuse it as it is in the Desktop and mobile version. For the 
mobile version, we need to be careful about not be overridden by the 
android/components/AboutRedirector.js.

2.1.2 Content Policy (contract id: @torproject.org/content-policy;1)

Avoids the Browser to leak resource:// URI information. We can use as it 
is, however a fix was shipped in the Firefox 57 and we need to make sure 
that it works as expected.

2.1.3 Cookie Jar Selector (contract id: 
@torproject.org/cookie-jar-selector;1)

Enable selection of separate cookie jars for (more) anonymous browsing. 
We can keep it as it is, just improving the comments in the code.

2.1.4 Domain Isolator (contract id: @torproject.org/domain-isolator;1)

Put requests from different first party domains on separate tor 
circuits. We can keep it as it is.

2.1.5 Filter drag events (contract id: 
@torproject.org/torbutton-dragDropFilter;1)

Filter drag events to prevent OS access to URLs (a potential proxy 
bypass vector). For desktop, we can keep as it is.
For mobile, Android 7(API Level 24) added support for displaying more 
than one window at the same time[4], allowing
the users to drag and drop data between activities sharing the screen. 
Looking looking through code and making manual tests
we were not able simulate drag events between other apps and 
Orfox/Firefox. (Can someone else confirm it?)

2.1.6 External apps confirmation dialogs (contract id: 
@torproject.org/torbutton-extAppBlocker;1)

  Handles displaying confirmation dialogs for external apps and 
protocols. For Desktop, we can keep as it is.
  For mobile, Android uses the concept of intents to load external 
apps[5] (in fact, it is known by deep linking).
  Orfox already disables external apps making the preference 
network.protocol-handler.external-default false.

2.1.7 Tor Startup Observer (contract id: @torproject.org/startup-observer;1)

Sets up Tor Browser networking proxy settings and loads the 
content-policy and aboutTor scripts.
For Desktop, we can keep as it is. For mobile, the proxy settings are 
made by the Orbot app using the vpn service[6], thus we just need to 
load the content-policy and aboutTor scripts.

2.1.8 Tor Check Service (contract id: 
@torproject.org/torbutton-torCheckService;1)

Verifies if the Tor Service is up and running. For Desktop we can keep 
as it is. For Mobile, currently, we can use a hybrid approach where we 
use Android Intents to verify if Orbot is up and running[7] and the 
check service component for sanity checks.

2.2. Chrome

Mostly of the chrome changes will require definitions by the UX team 
such as the [8].

3. External Links

[1] https://blog.mozilla.org/addons/2017/11/20/extensions-in-firefox-58/
[2] https://www.torproject.org/docs/torbutton/en/design/index.html.en
[3] 
https://www.torproject.org/projects/torbrowser/design/#DesignRequirements
[4] https://developer.android.com/guide/topics/ui/multi-window.html
[5] https://developer.android.com/training/app-links/deep-linking.html
[6] https://developer.android.com/reference/android/net/VpnService.html
[7] 
https://github.com/guardianproject/tor-browser/blob/orfox-tor-browser-52.2.0esr-7.0-1/mobile/android/base/java/org/mozilla/gecko/BrowserApp.java#L1091
[8] https://trac.torproject.org/projects/tor/ticket/24309

More information about the tbb-dev mailing list