| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
TLD isolation is needed for file hosting sites, and sites with lots of
subdomains.
|
| |
|
|
|
|
|
| |
SOCKS servers.
Remove unused variables proxyHost and proxyPort to fix
unused-but-set-variable build errors.
|
| |
|
|
|
|
|
|
| |
Fix reorder build error:
../../../dist/include/mozilla/net/HttpBaseChannel.h:339:11: error: 'mozilla::net::HttpBaseChannel::mRedirectCount' will be initialized after [-Werror=reorder]
../../../dist/include/mozilla/net/HttpBaseChannel.h:327:20: error: 'nsCOMPtr<nsIURI> mozilla::net::HttpBaseChannel::mProxyURI' [-Werror=reorder]
/builds/slave/try-l64-d-00000000000000000000/build/src/netwerk/protocol/http/HttpBaseChannel.cpp:39:1: error: when initialized here [-Werror=reorder]
|
| |
|
|
|
| |
Corresponds to Mozilla bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1159826.
|
| |\ |
|
| | | |
|
| |/
|
|
|
|
| |
During parsing, avoid dereferencing null pointers when script and
style elements are created as generic elements (i.e., when
svg.in-content.enabled=false). Fixes ticket #15794.
|
| |\ |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | | |
Conflicts:
browser/app/profile/000-tor-browser.js
|
| | | | |
|
| |\ \ \
| |_|/
|/| | |
|
| | |/ |
|
| |/
|
|
|
| |
Modify the login manager implementation to handle the situation
where storage is not available.
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
Jacek Caban gave us this patch which should fix the shutdown crashes on
Windows (#10761 and #14454) as newer GCC/Binutils versions do not need
the workaround anymore that got implemented back then in
https://bugzilla.mozilla.org/show_bug.cgi?id=337887.
|
| | |
| |
| |
| |
| |
| | |
This reverts commit 53f8f2506cb21bf1847a4261ef383db9be55a93c. This used to be
used by Torbutton/SafeCache, but we moved the cache isolation to direct C++
patches instead.
|
| |\ \ |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
We remove the keep-alive restriction now that we have isolation to the
URL bar domain which is governing this as well (see: bug 4100).
|
| |/ /
| |
| |
| | |
SOCKS servers.
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If the pref "plugin.disable" is set, the user has to click an extra button
to cause Firefox to actually scan the filesystem for plugins.
Note: The strings for this patch are actually present in Torbutton.
Patch by 'disgleirio'.
|
| |
|
|
|
|
|
|
|
| |
For the NoScript and HTTPS Everywhere extensions, only force files
to be included in incremental MARs if the extension has changed.
For NoScript we detect this by comparing the old and new .xpi files.
For HTTPS Everywhere (which is unpacked) we only check install.rdf;
our assumption is that the version number will be changed for each
new release.
|
| |
|
|
|
|
|
|
|
|
| |
Since we have disabled updates for Torbutton and Tor Launcher, there
is no need to force these extensions to be updated (replaced) when
generating our incremental MAR files. Also, we no longer force an update
to the pdf.js extension (it is now built into the browser) or to the
firefox binary on Mac OS (Mozilla forces firefox to be replaced on Mac OS
due to code signing / signature issues with partner builds; see
https://bugzilla.mozilla.org/show_bug.cgi?id=770996).
|
| |
|
|
|
| |
If the mathml.disabled preference is true, treat <math> and other MathML
elements as generic XML elements.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the svg.in-content.enabled preference is false, disallow all use of
SVG within content pages.
In the following situations it is very difficult to determine if code
is executing within a chrome context or not:
SVG hasFeature() API.
SVG hasExtension() API.
Use of SVG glyphs within custom OpenType fonts.
In these cases, everything is assumed to be content; that is, setting
the pref. to false will block use of the above features from chrome
as well. This is OK because these features are unlikely to be used by
core browser code.
|
| |
|
|
|
|
| |
Instead of using "runas" to try to elevate privileges, the updater
now fails if the user does not have permission to apply an update.
This avoids potential security issues such as CVE-2015-0833.
|
| |
|
|
|
| |
To allow for localization, get profile-related error strings from Torbutton.
Use app display name ("Tor Browser") in profile-related error alerts.
|
| |
|
|
|
| |
Instead of always reporting that the profile is locked, display specific
messages for "access denied" and "read-only file system".
|
| |
|
|
|
|
|
|
| |
Prevent user tracking via HTTP Basic Authentication by
removing Authorization headers from third party requests.
This is a port of a piece of the Stanford SafeCache code that
previously was included in Torbutton.
|
| | |
|
| |
|
|
|
|
| |
This is a patch written by Jeff Gibat (iSECPartners) to disable the
jar: protocol handler via a preference. The preference is bound to the
security slider settings (#9387).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This test ensures that if first-party isolation is enabled
("privacy.thirdparty.isolate" pref is set to 2) then when a loaded file is cached,
it is indexed by the URL-bar domain.
In this test, a number of files are loaded (via IFRAME, LINK, SCRIPT, IMG, OBJECT,
EMBED, AUDIO, VIDEO, TRACK and XMLHttpRequest) by parent pages with different URL bar
domains. When isolation is active, we test to confirm that a separate copy of each file
is cached for each different parent domain. We also test to make sure that when
isolation is inactive, a single copy of the child page is cached and reused for all
parent domains.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Configure with --enable-signmar (build the signmar tool).
Configure with --enable-verify-mar (when updating, require a valid signature
on the MAR file before it is applied).
Use the Tor Browser version instead of the Firefox version inside the
MAR file info block (necessary to prevent downgrade attacks).
Use NSS on all platforms for checking MAR signatures (Mozilla plans to use
OS-native APIs on Mac OS and they already do so on Windows). So that the
NSS and NSPR libraries the updater depends on can be found at runtime, we
add the firefox directory to the shared library search path on all platforms.
Use SHA512-based MAR signatures instead of the SHA1-based ones that Mozilla
uses. This is implemented inside MAR_USE_SHA512_RSA_SIG #ifdef's and with
a signature algorithm ID of 512 to help avoid collisions with future work
Mozilla might do in this area.
See: https://bugzilla.mozilla.org/show_bug.cgi?id=1105689
|
| |
|
|
|
|
|
|
| |
Backport reviewed patches from these two Mozilla bugs:
903135 - Link updater to NSS and enable MAR verification on Linux and OSX
903126 - Implement a platform independent way to determine which cert to use
for verifying mars
Configure browser build with --enable-signmar and --enable-verify-mar.
|
| |
|
|
| |
files. r=rstrong
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Both the Inspector and PDF.js raise canvas prompts although they are no
danger as they are delivered with the browser itself and are no
untrusted content. This patch exempts both of them from canvas prompts,
too.
If calling `DescribeScriptedCaller` fails neither `scriptFile` nor
`scriptLine` are logged.
|
| |
|
|
|
|
|
|
|
|
| |
significant way. r=gps a=NPOTB"
This reverts commit 87d09ba73a620931ffbe2576064aae55a961b097. It seems
it breaks our deterministic build setup running |configure| again
during |make build|. The former does not like being run under
libfaketime but the latter needs to be in order to get reproducible
builds.
|
| | |
|
| |
|
|
|
|
|
| |
Changing the download folder on Win XP was crashing due to a mingw-w64
related Firefox bug. This is the backport of the fix provided in
https://bugzilla.mozilla.org/show_bug.cgi?id=1091594. Thanks to Jacek
Caban for the help.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On Windows, updater.exe failed to start if a copy of msvcr100.dll was not
installed in the system directory. We now append to the PATH the directory
that contains our copy of msvcr100.dll; that is, the Browser/ directory that
contains firefox.exe. That same directory contains a copy of libssp-0.dll,
which updater.exe also depends on; both DLL dependencies are now satisfied
from the Browser/ directory. Previously, the libssp-0.dll dependency was being
satisifed from the .../Browser/TorBrowser/Tor directory which Tor Launcher
adds to the path (and typically the updater is run from within a browser
session or after a restart during which the PATH is preserved).
|
| | |
|
| | |
|
| | |
|
