| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
| |
This commit just adds the string. I wanted to do this ASAP so we can get it
translated before deploying the actual dialog (#3838).
|
| |
|
|
|
|
|
| |
We do this by removing the Authenticate header. Users will now experience
dialogs informing them of incorrect authenticate attempts in the event of an
attack/attempted use of 3rd party auth. See #3837 for the bug to improve the
dialog.
|
| |
|
|
|
| |
It breaks navigation and other things that we cannot fix in the toggle model.
Also it is of questionable real privacy value.
|
| |
|
|
| |
See also #3229. These things are written to disk now..
|
| |
|
|
|
|
| |
The warning "No tab found for session store tag" can appear during "New
Identity" in TBB. This is due to a lack of proper context for the browser
object. It may also indicate a leak of sessionstore data to disk.
|
| |
|
|
|
|
|
| |
The cookie protections API I used in "New Identity" would do nothing if you
had no protected cookies.
I don't believe this issue affected 1.4.0, though.
|
| |
|
|
|
|
| |
Due to bug #3429, referer spoofing is breaking browser navigation. Since it is
unsafe to fix #3429 while people still insist on using the toggle model, I'm
just going to hide the referer spoofing option for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hotmail appears to have an optimization strategy that involved pre-loading all
of the scripts involved in their site as object tags. When the user navigates
between pages, the appropriate object tags get converted into script tags and
executed.
The problem for us is that docSell.allowPlugins is implemented as a content
policy that blocks object tags for a given page. We use this API because the toggle
model requires the ability to do per-page plugin control.
Firefox 3.6 introduced a global plugin control API that allows us to
enable/disable indivual plugins, but this was unfit for use in the toggle
situation where tabs might sit around in the background.
However, we can use it for TBB. This patch switches us to using the plugin
manager API, in TBB only.
|
| |
|
|
|
|
| |
This keeps window.name reset when the user enters a new url by hand. It also
blocks window.name entirely if you have disabled referers (which I think is
what someone who disables referers probably wants).
|
| |
|
|
|
| |
We use the cookie permissions api to get the origin URI. It can do some magic
we can't do from XPCOM. Thanks to Georg Koppen for the tip!
|
| |
|
|
|
| |
We were blocking some of their javascript, which they apparently load in
object tags?
|
| |
|
|
| |
At long last, the witch is dead.
|
| |
|
|
|
|
|
|
| |
Add a fallback to use the referer host if we can't find the owner window
through either loadGroup or notificationCallbacks..
This might still leave https:// urls sourced from http:// frames
un-isolated, as well as the reverse...
|
| |
|
|
| |
Thanks to Georg Koppen for catching this oversight.
|
| |
|
|
|
| |
Documented in as close to script form as possible. In the bright bright
future, the whole release process will be automated.
|
| | |
|
| | |
|
| |
|
|
| |
But what the hell do I know...
|
| | |
|
| | |
|
| |
|
|
| |
Also make the links work, finally.
|
| | |
|
| | |
|
| |
|
|
| |
Also allow 3rd party caching by default.
|
| |
|
|
| |
Use browsers internal MD5 instead.
|
| |
|
|
|
| |
They were registering way too many redundant listeners and incorrectly
referencing window.content.location.
|
| |
|
|
|
|
| |
Make it always on.
Also, give 'SafeCookie' its own pref and make it off by default.
|
| | |
|
| |
|
|
| |
We're going to trim down our prefs soon. We want safecache always-on.
|
| |
|
|
|
|
|
| |
http://crypto.stanford.edu/cs294s/projects/browser.html
We're going to chop this up a bit, but I figured I'd commit a pristine copy of
his work before doing so.
|
| | |
|
| | |
|
| |
|
|
| |
Need to use nsIScreenManager.
|
| |
|
|
|
| |
Since clicking on torbutton no longer toggles Tor state, we should just
display the current state in the tooltip.
|
| |
|
|
|
|
| |
Rather than one fixed size, we try to bin the resolution into just a few
possibilities, choosing the largest bin possible for a given desktop
resolution. We also cap the width at 1000.
|
| |
|
|
| |
We only resize windows to 50px on page load now.
|
| |
|
|
| |
Also make clicking provide a menu rather than auto-toggle.
|
| | |
|
| |
|
|
|
|
|
|
| |
The search results seem slightly better than ixquick, and the interface is a
lot slicker.
Plus, who wouldn't trust a duck with a bow-tie? He just wants to help you so
bad.
|
| | |
|
| |
|
|
| |
Also handle the upgrade case to avoid inconsistent prefs.
|
| |
|
|
|
| |
The code will delete any existing protections files from the earlier alphas,
or from simply changing prefs.
|
| |
|
|
|
| |
The toggle ensures our applied prefs match the current torbutton xpi values.
It also ensures our proxy matches the environment variable (#2843).
|
| |
|
|
|
| |
We still need to fix #2338 to deal with this properly. TBB will never read the
env var otherwise.
|
| |
|
|
|
| |
These changes only make the preferences window sane wrt to the TOR_SOCKS_PORT
environment var. We still need some code to set the pref during startup.
|
| |
|
|
| |
Turns out there's just one that makes sense to set right now.
|
| |
|
|
| |
Thanks arno.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
I think these folks may be right, at least for the short term:
http://www.contextis.com/resources/blog/webgl/
Remote fonts were a minefield of exploits, and the vulnerability surface there
was like 1% of OpenGL.
After a few releases, we can revisit the remaining fingerprinting issues and
consider re-enabling.
|
