- Aug 30, 2018
-
-
The mixed content blocker should not block a directly-loaded image from a .onion domain. We need to detect this situation earlier in nsMixedContentBlocker::ShouldLoad.
-
browser is stuck in endless reload cycle The problem goes away when the security.sandbox.content.level pref is set to 2. This patch sets the option on Windows only to work around this issue until the root cause is found and fixed.
-
- Aug 29, 2018
-
-
-
Georg Koppen authoredDisable wasm for now until we have it properly reviewed in #21549.
-
Also fix bug 27221: purge the startup cache if the Tor Browser version changed (even if the Firefox version and build ID did not change), e.g., after a minor Tor Browser update.
-
Georg Koppen authored
Disable WebVR for now until we have it properly audited in #21607.
-
Georg Koppen authored
Disable the Web Authentication API for now until we have it evaluated in #26614.
-
- Aug 28, 2018
-
-
Georg Koppen authored
Enable ReaderView mode again (#27281).
-
Within the update doorhanger, remove the misleading message that mentions that windows will be restored after an update is applied, and replace the "Restart and Restore" button label with an existing "Restart to update Tor Browser" string.
-
Also fix Bug 26049: reduce the delay before the update prompt is displayed. Instead of Firefox's 2 days, we use 1 hour (after which time the update doorhanger will be displayed).
-
- Aug 27, 2018
-
-
When privacy.spoof_english === 2, then en-US spoofing is enabled. In that case, make sure the date picker does not leak the locale.
-
-
- Update description copy and background color.
-
- Aug 26, 2018
-
-
Add a "New Circuit Display" promotional banner to the about:tbupdate page.
-
Adjust colors, fonts, and the page background to match the new about:tor.
-
Add an "Explore" button to the "Circuit Display" panel within new user onboarding which opens the DuckDuckGo .onion and then guides users through a short circuit display tutorial. Allow a few additional UITour actions while limiting as much as possible how it can be used. Tweak the UITour styles to match the Tor Browser branding. All user interface strings are retrieved from Torbutton's browserOnboarding.properties file.
-
-
- Aug 25, 2018
-
-
Georg Koppen authored
Bug 27268: There is no plugin.expose_full_path anymore The preference got removed in https://bugzil.la/883671.
-
Bug 27268: Remove references to obsolete prefs. Removed prefs are: browser.usedOnWindows10 browser.selfsupport.enabled browser.selfsupport.url browser.newtabpage.directory.ping browser.newtabpage.directory.source browser.newtabpage.enhanced browser.newtabpage.introShown browser.newtabpage.remote plugin.expose_full_path plugins.hide_infobar_for_missing_plugin plugins.hideMissingPluginsNotification dom.mozTCPSocket.enabled
-
Bug 27257: Remove obsolete pref "dom.network.enabled" (The API is disabled under privacy.resistFingerprinting.)
-
- Aug 24, 2018
-
-
Arthur Edelstein authored
Bug 27262: Remove leftover HTTP pipelining preferences The prefs were removed from Firefox in https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
-
- Aug 23, 2018
-
-
An attacker can send a tampered torbutton extension to the user and TBA, currently, is not able to verify if the torbutton extension was built by Tor.
-
- Aug 22, 2018
-
-
Arthur Edelstein authored
Bug 26114: addons.mozilla.org is not special * Don't expose navigator.mozAddonManager on any site * Don't block NoScript from modifying addons.mozilla.org or other sites
-
Tor Browser for Desktop has a similar logic.
-
- Aug 20, 2018
-
-
The GeckoView AndroidManifest.xml is not preprocessed unlike Fennec's manifest, so we can't use the ifdef preprocessor guards around the permissions we do not want. Commenting the permissions is the next-best-thing.
-
- FirstrunTorPagerConfig.java: Create file that sets up all the views in the pager. - FirstrunPager.java: Update code to use the FirstrunTorPagerConfig. - FirstrunLastPanel.java: Create view that adds a close handler in the latest pager view.
-
- Aug 16, 2018
-
-
Bug 1483377 - Use static array for FilePreferences whitelist instead of StaticAutoPtr. r=mayhemer, a=RyanVM Differential Revision: https://phabricator.services.mozilla.com/D3403 --HG-- extra : amend_source : b1eff8c536bcec5112211007347f558e32164905
-
--HG-- extra : source : 92ff98e2731eac0558cbc7e9c71e521246772240 extra : amend_source : e01976f9592cd2635c075cc6031e81a1b1e1b8bd
-
Georg Koppen authored
This reverts commit 50f4653b. We take the patch that actually landed on esr60 instead.
-
- Aug 15, 2018
-
-
certificate information A side-effect of marking the state of HTTP onion pages as 'secure' is that they go through the EvaluateAndUpdateSecurityState code path in nsSecureBrowserUIImpl. The previous implementation would just leave the SSLStatus as-is when receiving an SSL 'info' object which could not be QueryInterface'd to an nsISSLStatusProvider. For secure SSL pages, this code-path would never occur, but for secure onion pages it would. This would result in the previous page's SSLStatus hanging around when transitioning to an HTTP onion site with the previous HTTPS's SSL info remaining for the JavaScript chrome to pull in and display. This patch tweaks the EvaluateAndUpdateSecurityState to correctly clear the nsSecureBrowserUIImpl's owned nsISSLStatusProvider object in this scenario.
-
This permission is not needed and it is only used by the Stumbler (which we exclude at compile-time).
-
When privacy.spoof_english = 2, we should hide the user's locale in content. So we use en-US default strings for HTML form elements, such as a Submit button. We also force GetLocalizedEllipsis() to always return the ellipsis used by en-US.
-
Reuse the Firefox onboarding mechanism with minimal changes. Localizable strings are pulled in from Torbutton (if Torbutton is not installed, we lack about:tor and no tour will be shown). Replace SVG images with PNGs (see bug 27002), For defense in depth, omit include OnboardingTelemetry.jsm entirely. Added support for the following UITour page event: torBrowserOpenSecuritySettings
-
Ship the onboarding system extension.
-
-
Disallow access to UITour functionality from all pages other than about:home, about:newtab, and about:tor. Implement a whitelist mechanism for page actions.
-
Bug 14952: Enable http/2 and AltSvc In Firefox, SPDY/HTTP2 now uses Origin Attributes for isolation of connections, push streams, origin frames, etc. That means we get first-party isolation provided "privacy.firstparty.isolate" is true. So in this patch, we stop overriding "network.http.spdy.enabled" and "network.http.spdy.enabled.http2". Alternate Services also use Origin Attributes for isolation. So we stop overriding "network.http.altsvc.enabled" and "network.http.altsvc.oe" as well. (All 4 of the abovementioned "network.http.*" prefs adopt Firefox 60ESR's default value of true.) However, we want to disable HTTP/2 push for now, so we set "network.http.spdy.allow-push" to false. "network.http.spdy.enabled.http2draft" was removed in Bug 1132357. "network.http.sped.enabled.v2" was removed in Bug 912550. "network.http.sped.enabled.v3" was removed in Bug 1097944. "network.http.sped.enabled.v3-1" was removed in Bug 1248197.
-
-
These configure options should be false already, because we set |--without-google-play-services| in .mozconfig-android. But, this is another layer of certainty.
-
Picasso, the image retrieval library used by Fennec, ignores the network proxy configuration. We override the openConnection() method and create the connection using the configured proxy.
-
