[tbb-dev] Tor Button Proposal

Igor Oliveira igt0 at torproject.org
Mon Jan 15 16:21:06 UTC 2018


On 01/15/2018 10:40 AM, Georg Koppen wrote:
> Hi!
> Igor Oliveira:
>> Howdy,
>> As many of you know. We are bringing Orfox on par with Tor
>> Browser(https://blog.torproject.org/blog/upping-support-mobile-browsing)
>> and one of the steps is porting tor button extension to mobile.
>> That said, I wrote an *initial*
>> proposal(https://storm.torproject.org/shared/fchH0_Liol-cWFQwH1dgQsETUC7whKb7Hy46cPYZLrS
>> and it is also bellow) about what are the challenges, the approach and
>> how we can try to keep as much code from the current extension.
> Thanks for starting this discussion!
>> Tor Button Next Proposal
>> 1. Introduction
>> Tor button, currently, is implemented as a Firefox extension using the
>> XPCOM API and XUL markup language that are not supported anymore since
>> Firefox 58[1]. This document aims to describe the approach used to
>> revitalize the current extension and the changes needed to make it work
>> on mobile.
>> 1.1 Design Requirements and Philosophy
>> The Tor Button requirements and adversary model can be found in two
>> separated documents[2][3].
>> 2. Implementation
>> Instead of an extension, we propose the Tor Button to be integrated
>> within the Tor Browser, thus we still can reuse few parts of the current
>> extension code such as the components and chrome code.
>> For the XUL markup language, we also suggest to migrate to XHTML when
>> possible.
> What do you mean with "be integrated within Tor Browser"? Do you have a
> plan on how to achieve that? If so, we should specify it and if not we
> should come up with one and specify it and include it in this proposal.
> I am asking because one could think of different ways of achieving that.
> One way would be to treat the Torbutton code the same way as the pdf.js
> code which lives under browser/extensions and ends up in the browser
> omni.ja under chrome/pdfjs. Another one would be having it as a proper
> extension living the features dir like the e10s related extension. A
> third one as would be coding up just a bunch of not really connected
> JavaScript code modules which get included into omni.ja (say under
> /modules and /components if needed) and the related UI parts get put
> directly into the browser chrome.

Indeed, in my head, I was always thinking about the third option, Tor 
Button needs to access few XPCOM interfaces, so thinking about a long 
term solution, it would live under /modules and /components. The down 
side of that is the code is now spread in multiple different 
directories. (I will update the proposal).

> Regarding the migration to XHTML, careful. I think we should follow the
> lead of the respective platform UI. Trying to get rid of XUL for desktop
> just to have all the Torbutton related parts coded in XHTML while the
> remainder of the browser UI still does XUL might lead to weird outcomes.

Yep, after the latest Monday meeting, the Arthur's idea of making 
progressive changes instead of refactoring everything at once make 
totally sense.

>> 2.1 Components
>> This section describes the current components and what changes will be
>> made.
>> 2.1.1 Tor About (contract id:
>> @mozilla.org/network/protocol/about;1?what=tor)
>> Overrides the Firefox/Fennec about page.
>> We can reuse it as it is in the Desktop and mobile version. For the
>> mobile version, we need to be careful about not be overridden by the
>> android/components/AboutRedirector.js.
>> 2.1.2 Content Policy (contract id: @torproject.org/content-policy;1)
>> Avoids the Browser to leak resource:// URI information. We can use as it
>> is, however a fix was shipped in the Firefox 57 and we need to make sure
>> that it works as expected.
>> 2.1.3 Cookie Jar Selector (contract id:
>> @torproject.org/cookie-jar-selector;1)
>> Enable selection of separate cookie jars for (more) anonymous browsing.
>> We can keep it as it is, just improving the comments in the code.
> It does nothing right now. I am inclined to drop it and if we want that
> functionality back we can think about how to achieve that in a good way.

Great, let's kill it.

>> 2.1.4 Domain Isolator (contract id: @torproject.org/domain-isolator;1)
>> Put requests from different first party domains on separate tor
>> circuits. We can keep it as it is.
>> 2.1.5 Filter drag events (contract id:
>> @torproject.org/torbutton-dragDropFilter;1)
>> Filter drag events to prevent OS access to URLs (a potential proxy
>> bypass vector). For desktop, we can keep as it is.
>> For mobile, Android 7(API Level 24) added support for displaying more
>> than one window at the same time[4], allowing
>> the users to drag and drop data between activities sharing the screen.
>> Looking looking through code and making manual tests
>> we were not able simulate drag events between other apps and
>> Orfox/Firefox. (Can someone else confirm it?)
>> 2.1.6 External apps confirmation dialogs (contract id:
>> @torproject.org/torbutton-extAppBlocker;1)
>>   Handles displaying confirmation dialogs for external apps and
>> protocols. For Desktop, we can keep as it is.
>>   For mobile, Android uses the concept of intents to load external
>> apps[5] (in fact, it is known by deep linking).
>>   Orfox already disables external apps making the preference
>> network.protocol-handler.external-default false.
>> 2.1.7 Tor Startup Observer (contract id:
>> @torproject.org/startup-observer;1)
>> Sets up Tor Browser networking proxy settings and loads the
>> content-policy and aboutTor scripts.
>> For Desktop, we can keep as it is. For mobile, the proxy settings are
>> made by the Orbot app using the vpn service[6], thus we just need to
>> load the content-policy and aboutTor scripts.
>> 2.1.8 Tor Check Service (contract id:
>> @torproject.org/torbutton-torCheckService;1)
>> Verifies if the Tor Service is up and running. For Desktop we can keep
>> as it is. For Mobile, currently, we can use a hybrid approach where we
>> use Android Intents to verify if Orbot is up and running[7] and the
>> check service component for sanity checks.
>> 2.2. Chrome
>> Mostly of the chrome changes will require definitions by the UX team
>> such as the [8].
> The UX part, yes, but there is the underlying code and we should think
> about what to do with it. Looking at the functionality provided by code
> in chrome it is at least
> 1) New Identity
> 2) New circuit for this site
> 3) The circuit display
> 4) The security slider
> 5) Tor Network Settings
> 6) Check for Tor Browser update...
> 7) Showing the state of Tor (green onion vs. crossed out onion)
> 8) Helpers for 1) - 7)
> 9) Things in torbutton.js doing e.g. window resizing on start-up

Few of these items are also affected by the tor launcher proposal.

> So, starting with 2) and 3). That's covered by #24309 (Obj. 4.1 from the
> OTF proposal). I think we can make a decision after we finally decided
> what we want to do (I think we are close, Arthur, right?). One
> interesting aspect of that in is that the helpers for that part involve
> tor controller related code. My idea would be to take that part + the
> relevant tor-launcher parts into a code module put somewhere into
> /toolkit. That way not only Tor Browser but other projects (think of
> FUSION or Thunderbird) could use that and we would not have two
> extensions with pieces of controller code each.

oh cool, great idea.

> 1) and 4) could be part of the toolbar redesign proposal I am currently
> writing (Obj 2.1 from the OTF proposal). In fact, I think I plan to
> argue that both New Identity and the slider should be available as easy
> to click items on the toolbar. We could add the slider code as a module
> ending up in the browser omni.ja and integrate the remainings directly
> into browser JS code and XUL.

We also need to think where we are going to place them in the mobile 
version. If we keep the the identity in the Tor Button, it could be 
easily reused in the mobile version. However it can harm the Desktop 
version UX.

> 5) The network settings dialog is a Tor Launcher part. I am not sure
> what to do with that one yet (I have not read the Tor Launcher redo
> proposal yet either).
> 6) We might want to rethink the usefulness of the update check and
> flashing (in case the browser is outdated) behind the Torbutton menu
> during our work for a better Tor Browser update UI (Obj 3.1 from the OTF
> proposal). So, we could consider just removing this part/commenting it
> out for now.
> 7) Is already provided by the about:tor page. I think there is no need
> to have an .onion icon just for that use case. We could remove/comment
> the relavant code parts for now.


> 9) That should be integrated directly into browser.js and the XUL files
> and I suspect there is a ton of stuff that we can get rid of (yay!).
> Georg

Thanks for the feedback I will digest the feedback and update the proposal.


>> 3. External Links
>> [1] https://blog.mozilla.org/addons/2017/11/20/extensions-in-firefox-58/
>> [2] https://www.torproject.org/docs/torbutton/en/design/index.html.en
>> [3]
>> https://www.torproject.org/projects/torbrowser/design/#DesignRequirements
>> [4] https://developer.android.com/guide/topics/ui/multi-window.html
>> [5] https://developer.android.com/training/app-links/deep-linking.html
>> [6] https://developer.android.com/reference/android/net/VpnService.html
>> [7]
>> https://github.com/guardianproject/tor-browser/blob/orfox-tor-browser-52.2.0esr-7.0-1/mobile/android/base/java/org/mozilla/gecko/BrowserApp.java#L1091
>> [8] https://trac.torproject.org/projects/tor/ticket/24309
>> _______________________________________________
>> tbb-dev mailing list
>> tbb-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev

More information about the tbb-dev mailing list