arthuredelstein / tor-browser Public

Add missing Unmap() call in CanvasRenderingContext2D::GetImageDataArray() to avoid assertion failure.

On Mac OS, store user data under ~/Library/Application Support/TorBrowser-Data if the application is installed in a directory whose path contains "/Applications" or if the user lacks write permission to the directory that contains TorBrowser.app. Since the TorBrowser-Data directory may be shared among different installations of the application on Mac OS, embed the app path in the update dir so that the update history is partitioned.

Add an --enable-tor-browser-data-outside-app-dir configure option. When this is enabled, all user data is stored in a directory named TorBrowser-Data which is located next to the application directory. The first time an updated browser is opened, migrate the existing browser profile, Tor data directory contents, and UpdateInfo to the TorBrowser-Data directory. If migration of the browser profile fails, an error alert is displayed and the browser is started using a new profile. Display an informative error messages if the TorBrowser-Data directory cannot be created due to an "access denied" or a "read only volume" error. Add support for installing "override" preferences within the user's browser profile. All .js files in distribution/preferences (on Mac OS, Contents/Resources/distribution/preferences) will be copied to the preferences directory within the user's browser profile when the profile is created and each time Tor Browser is updated. This mechanism will be used to install the extension-overrides.js file into the profile. On Mac OS, add support for the --invisible command line option which is used by the meek-http-helper to avoid showing an icon for the helper browser on the dock.

Temporarily disable staged updates on Windows.

Add an about:tbupdate page that displays the first section from TorBrowser/Docs/ChangeLog.txt and includes a link to the remote post-update page (typically our blog entry for the release).

This is part of our plan to rotate the main key used for signing MAR files about once a year to make. This is a defense in depth measure as there is no official way for revoking MAR signing keys. We begin with just replacing the secondary key as this one got mostly used to sign MAR files over the last year.

Replace Mozilla's MAR signing certificates with our own. Configure with --enable-signmar (build the signmar tool). Configure with --enable-verify-mar (when updating, require a valid signature on the MAR file before it is applied). Use the Tor Browser version instead of the Firefox version inside the MAR file info block (necessary to prevent downgrade attacks). Use NSS on all platforms for checking MAR signatures (Mozilla plans to use OS-native APIs on Mac OS and they already do so on Windows). So that the NSS and NSPR libraries the updater depends on can be found at runtime, we add the firefox directory to the shared library search path on all platforms. Use SHA512-based MAR signatures instead of the SHA1-based ones that Mozilla uses. This is implemented inside MAR_USE_SHA512_RSA_SIG #ifdef's and with a signature algorithm ID of 512 to help avoid collisions with future work Mozilla might do in this area. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1105689

New configure options: --with-tor-browser-version=VERSION # Pass TB version throughout build. --enable-tor-browser-update # Enable bundle update behavior. The following files are never updated: TorBrowser/Data/Browser/profiles.ini TorBrowser/Data/Browser/profile.default/bookmarks.html TorBrowser/Data/Tor/torrc Mac OS: Store update metadata under TorBrowser/UpdateInfo. Removed the %OS_VERSION% component from the update URL (13047) and added support for minSupportedOSVersion, an attribute of the <update> element that may be used to trigger Firefox's "unsupported platform" behavior. Windows: disable "runas" code path in updater (15201). Windows: avoid writing to the registry (16236). Also includes fixes for tickets 13047, 13301, 13356, 13594, 15406, 16014, and 16909. Conflicts: browser/confvars.sh

When in permanent private browsing mode, always return false for isAutomaticRestoreEnabled. This ensures that there will not be any confusion inside nsBrowserContentHandler.defaultArgs as to whether a one time session restore will occur. Also, for consistency and in case someone looks at the pref, avoid setting browser.sessionstore.resume_session = true during browser shutdown. This bug occurred when staging was not used during the update process. On Windows it always occurred because staging is not used even when it should be (see #18292).

Unless the -osint command line flag is used, the browser now defaults to the equivalent of -no-remote. There is a new -allow-remote flag that may be used to restore the original (Firefox-like) default behavior.

…ative. This should eliminate our need to rely on a wrapper script that sets $HOME and launches Firefox with -profile.

Conflicts: netwerk/base/mozIThirdPartyUtil.idl

Note that when the privacy.thirdparty.isolate pref. is set to 1 or 2, we disable use of Broadcast Channels by SharedWorkers since we cannot obtain the isolation host.

…omain

This patch handles blob URLs created and retrieved in Web Workers. See also #15703 and #16429. Conflicts: dom/base/ThirdPartyUtil.cpp

Conflicts: dom/base/ThirdPartyUtil.cpp

Also prevent DOM storage from ever writing to disk.

This test ensures that if first-party isolation is enabled ("privacy.thirdparty.isolate" pref is set to 2) then when a loaded file is cached, it is indexed by the URL-bar domain. In this test, a number of files are loaded (via IFRAME, LINK, SCRIPT, IMG, OBJECT, EMBED, AUDIO, VIDEO, TRACK and XMLHttpRequest) by parent pages with different URL bar domains. When isolation is active, we test to confirm that a separate copy of each file is cached for each different parent domain. We also test to make sure that when isolation is inactive, a single copy of the child page is cached and reused for all parent domains. squash! Bug #13749.2: Regression tests for first-party isolation of cache Also checks first-party isolation of favicons: https://bugs.torproject.org/16728

The image cache maintains its own table outside of the main cache, and does not obey cacheKeys by default.

Prevent user tracking via HTTP Basic Authentication by removing Authorization headers from third party requests. This is a port of a piece of the Stanford SafeCache code that previously was included in Torbutton. Conflicts: dom/base/ThirdPartyUtil.cpp

…Document. Logs the URI of the source doc/channel that failed. Also: Bug #10819: Add a pref, "privacy.thirdparty.isolate", to allow the activation or deactivation of isolating DOM storage and image caching by first party URI.

Convert JS implementation (within Torbutton) to a C++ browser patch.

(See also Bug #12684, Make "Not now" default for HTML5 canvas permission dialogue, patched by Isis Lovecruft.) This implements a `PopupNotification` [0] which notifies users that a website has attempted to access an HTML5 canvas. The default ordering for buttons is: Not Now Never for this site (recommended) Allow in the future * FIXES #12684 [1] by making "Not Now" the default in the HTML5 canvas fingerprinting permissions dialogue. * Palette icons included in HTML5 canvas permissions PopupNotification UI. The image is freely licensed and obtainable from: https://openclipart.org/image/300px/svg_to_png/21620/ben_palette.png * Includes a CSS whitespace hack from Pearl Crescent to the `CanvasPermissionPromptHelper_init()` function in `browser/base/content/browser.js` for causing the newlines in the `canvas.siteprompt` string (in torbutton.git, in `chrome/locale/en/torbutton.properties`) to render correctly in PopupNotification XUL <description> elements. [2] NOTE: Applying this patch requires an additional patch to TorButton, to store the additional UI strings before localisation. [3] [0]: https://mxr.mozilla.org/mozilla-esr24/source/toolkit/modules/PopupNotifications.jsm [1]: https://bugs.torproject.org/12684 [2]: https://trac.torproject.org/projects/tor/ticket/12684#comment:21 [3]: isislovecruft/torbutton@368e74d Also includes: Bug 13021: Prompt before allowing Canvas isPointIn*() calls. Display our data extraction prompt and implement site-specific preferences for access to the isPointInPath() and isPointInStroke() methods. Bug 13439: No canvas prompt for content-callers. Both the Inspector and PDF.js raise canvas prompts although they are no danger as they are delivered with the browser itself and are no untrusted content. This patch exempts both of them from canvas prompts, too. If calling `DescribeScriptedCaller` fails neither `scriptFile` nor `scriptLine` are logged.

…isting fingerprinting

…onts

arthuredelstein / tor-browser Public

Commits on Apr 9, 2016