[tor-commits] [tor-browser-spec/master] Update stale/broken gitweb and trac URLs.
mikeperry at torproject.org
mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014
commit ec2a7eb797d818b13b45a1e0a17e948d991047c3
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Tue Feb 19 12:18:19 2013 -0800
Update stale/broken gitweb and trac URLs.
---
docs/design/design.xml | 79 +++++++++++++++++++++---------------------------
1 file changed, 35 insertions(+), 44 deletions(-)
diff --git a/docs/design/design.xml b/docs/design/design.xml
index d723542..07db627 100644
--- a/docs/design/design.xml
+++ b/docs/design/design.xml
@@ -747,14 +747,19 @@ browser proxy settings.
<para>
Torbutton disables plugins by using the
<command>@mozilla.org/plugin/host;1</command> service to mark the plugin tags
-as disabled. Additionally, we set
-<command>plugin.disable_full_page_plugin_for_types</command> to the list of
-supported mime types for all currently installed plugins.
- </para>
+as disabled. This block can be undone through both the Torbutton Security UI,
+and the Firefox Plugin Preferences.
+ </para>
+ <para>
+If the user does enable plugins in this way, plugin-handled objects are still
+restricted from automatic load through Firefox's click-to-play preference
+<command>plugins.click_to_play</command>.
+ </para>
<para>
-In addition, to prevent any unproxied activity by plugins at load time, we
+In addition, to reduce any unproxied activity by arbitrary plugins at load
+time, and to reduce the fingerprintability of the installed plugin list, we
also patch the Firefox source code to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0007-Block-all-plugins-except-flash.patch">prevent the load of any plugins except
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">prevent the load of any plugins except
for Flash and Gnash</ulink>.
</para>
@@ -842,16 +847,16 @@ Private Browsing Mode is enabled. We need to
<!-- XXX: Firefox 17 will mess up all these patch links -->
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">prevent
the permissions manager from recording HTTPS STS state</ulink>,
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">prevent
intermediate SSL certificates from being recorded</ulink>,
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch">prevent
download history from being recorded</ulink>, and
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch">prevent
the content preferences service from recording site zoom</ulink>.
<!-- XXX: DOM Storage patch, too. -->
@@ -862,7 +867,7 @@ Firefox Patches section</link>.
</para>
<para>
For more details on disk leak bugs and enhancements, see the <ulink
-url="https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_information&status=needs_review&status=needs_revision&status=new&status=reopened&order=priority&col=id&col=summary&col=keywords&col=owner&col=type&col=status&col=priority&keywords=~tbb-disk-leak">tbb-disk-leak tag in our bugtracker</ulink>
+url="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed">tbb-disk-leak tag in our bugtracker</ulink>
</para>
</sect2>
<sect2 id="app-data-isolation">
@@ -975,7 +980,7 @@ security of the isolation</ulink> and to <ulink
url="https://trac.torproject.org/projects/tor/ticket/3754">solve conflicts
with OCSP relying the cacheKey property for reuse of POST requests</ulink>, we
had to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0005-Add-a-string-based-cacheKey.patch">patch
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch">patch
Firefox to provide a cacheDomain cache attribute</ulink>. We use the fully
qualified url bar domain as input to this field.
@@ -1011,11 +1016,7 @@ HTTP authentication tokens are removed for third party elements using the
url="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers">http-on-modify-request
observer</ulink> to remove the Authorization headers to prevent <ulink
url="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html">silent
-linkability between domains</ulink>. We also needed to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch">patch
-Firefox to cause the headers to get added early enough</ulink> to allow the
-observer to modify it.
-
+linkability between domains</ulink>.
</para>
</listitem>
<listitem>DOM Storage
@@ -1065,7 +1066,7 @@ We currently clear SSL Session IDs upon <link linkend="new-identity">New
Identity</link>, we disable TLS Session Tickets via the Firefox Pref
<command>security.enable_tls_session_tickets</command>. We disable SSL Session
IDs via a <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0010-Disable-SSL-Session-ID-tracking.patch">patch
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch">patch
to Firefox</ulink>. To compensate for the increased round trip latency from disabling
these performance optimizations, we also enable
<ulink url="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00">TLS
@@ -1307,7 +1308,7 @@ Firefox provides several options for controlling the browser user agent string
which we leverage. We also set similar prefs for controlling the
Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0001-Block-Components.interfaces-lookupMethod-from-conten.patch">remove
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch">remove
content script access</ulink> to Components.interfaces, which <ulink
url="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html">can be
used</ulink> to fingerprint OS, platform, and Firefox minor version. </para>
@@ -1515,7 +1516,7 @@ audio and video objects.
<title>Description of Firefox Patches</title>
<para>
The set of patches we have against Firefox can be found in the <ulink
-url="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.2:/src/current-patches/firefox">current-patches directory of the torbrowser git repository</ulink>. They are:
+url="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/current-patches/firefox">current-patches directory of the torbrowser git repository</ulink>. They are:
</para>
<orderedlist>
<listitem>Block Components.interfaces and Components.lookupMethod
@@ -1563,17 +1564,6 @@ allow this.
</para>
</listitem>
- <listitem>Add HTTP auth headers before on-modify-request fires
- <para>
-
-This patch provides a trivial modification to allow us to properly remove HTTP
-auth for third parties. This patch allows us to defend against an adversary
-attempting to use <ulink
-url="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html">HTTP
-auth to silently track users between domains</ulink>.
-
- </para>
- </listitem>
<listitem>Add a string-based cacheKey property for domain isolation
<para>
@@ -1581,23 +1571,12 @@ To <ulink
url="https://trac.torproject.org/projects/tor/ticket/3666">increase the
security of cache isolation</ulink> and to <ulink
url="https://trac.torproject.org/projects/tor/ticket/3754">solve strange and
-unknown conflicts with OCSP</ulink>, we had to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch">patch
-Firefox to provide a cacheDomain cache attribute</ulink>. We use the url bar
+unknown conflicts with OCSP</ulink>, we had to patch
+Firefox to provide a cacheDomain cache attribute. We use the url bar
FQDN as input to this field.
</para>
</listitem>
- <listitem>Randomize HTTP pipeline order and depth
- <para>
-As an
-<ulink
-url="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting">experimental
-defense against Website Traffic Fingerprinting</ulink>, we patch the standard
-HTTP pipelining code to randomize the number of requests in a
-pipeline, as well as their order.
- </para>
- </listitem>
<listitem>Block all plugins except flash
<para>
We cannot use the <ulink
@@ -1648,6 +1627,18 @@ by the <link linkend="new-identity">New Identity</link> button.
</para>
</listitem>
+ <listitem>Randomize HTTP pipeline order and depth
+ <para>
+As an
+<ulink
+url="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting">experimental
+defense against Website Traffic Fingerprinting</ulink>, we patch the standard
+HTTP pipelining code to randomize the number of requests in a
+pipeline, as well as their order.
+ </para>
+ </listitem>
+
+<!-- XXX: Several more patches need documentation -->
</orderedlist>
</sect2>
More information about the tor-commits
mailing list