[tbb-dev] Tor Button Proposal
igt0 at torproject.org
Mon Jan 8 17:25:19 UTC 2018
As many of you know. We are bringing Orfox on par with Tor
and one of the steps is porting tor button extension to mobile.
That said, I wrote an *initial*
and it is also bellow) about what are the challenges, the approach and
how we can try to keep as much code from the current extension.
Tor Button Next Proposal
Tor button, currently, is implemented as a Firefox extension using the
XPCOM API and XUL markup language that are not supported anymore since
Firefox 58. This document aims to describe the approach used to
revitalize the current extension and the changes needed to make it work
1.1 Design Requirements and Philosophy
The Tor Button requirements and adversary model can be found in two
Instead of an extension, we propose the Tor Button to be integrated
within the Tor Browser, thus we still can reuse few parts of the current
extension code such as the components and chrome code.
For the XUL markup language, we also suggest to migrate to XHTML when
This section describes the current components and what changes will be made.
2.1.1 Tor About (contract id:
Overrides the Firefox/Fennec about page.
We can reuse it as it is in the Desktop and mobile version. For the
mobile version, we need to be careful about not be overridden by the
2.1.2 Content Policy (contract id: @torproject.org/content-policy;1)
Avoids the Browser to leak resource:// URI information. We can use as it
is, however a fix was shipped in the Firefox 57 and we need to make sure
that it works as expected.
2.1.3 Cookie Jar Selector (contract id:
Enable selection of separate cookie jars for (more) anonymous browsing.
We can keep it as it is, just improving the comments in the code.
2.1.4 Domain Isolator (contract id: @torproject.org/domain-isolator;1)
Put requests from different first party domains on separate tor
circuits. We can keep it as it is.
2.1.5 Filter drag events (contract id:
Filter drag events to prevent OS access to URLs (a potential proxy
bypass vector). For desktop, we can keep as it is.
For mobile, Android 7(API Level 24) added support for displaying more
than one window at the same time, allowing
the users to drag and drop data between activities sharing the screen.
Looking looking through code and making manual tests
we were not able simulate drag events between other apps and
Orfox/Firefox. (Can someone else confirm it?)
2.1.6 External apps confirmation dialogs (contract id:
Handles displaying confirmation dialogs for external apps and
protocols. For Desktop, we can keep as it is.
For mobile, Android uses the concept of intents to load external
apps (in fact, it is known by deep linking).
Orfox already disables external apps making the preference
2.1.7 Tor Startup Observer (contract id: @torproject.org/startup-observer;1)
Sets up Tor Browser networking proxy settings and loads the
content-policy and aboutTor scripts.
For Desktop, we can keep as it is. For mobile, the proxy settings are
made by the Orbot app using the vpn service, thus we just need to
load the content-policy and aboutTor scripts.
2.1.8 Tor Check Service (contract id:
Verifies if the Tor Service is up and running. For Desktop we can keep
as it is. For Mobile, currently, we can use a hybrid approach where we
use Android Intents to verify if Orbot is up and running and the
check service component for sanity checks.
Mostly of the chrome changes will require definitions by the UX team
such as the .
3. External Links
More information about the tbb-dev