arthuredelstein / tor-browser Public

…ache

Bug #16326: Add regression test for isolating fetch and request in page scripts and workers

See also: Bug 18741: Ensure that favicons and similar "content images in chrome"
get the correct first-party assigned.

Bug 18331: Update .mozconfig for new cross-compiler

We disable Selfsupport and Unified Telemetry (and set another
datareporting URL to "data:text/plain,"). This is bug 18738.

Enforce SHA1 deprecation (bug 18042)

This patch fixes bug 16874 and 18767 as well.

Mozilla introduced extension signing as a way to make it harder for an
attacker to get a malicious add-on running in a user's browser. See:
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience
and https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/
for some background information.

In ESR45 this feature is enabled by default and we exempt both our own
extensions and EFF's HTTPS-Everywhere from this requirement.

Although the DOM Push API is disabled by default (probably because it
requires service workers, which are also disabled in ESR45), set the
push server URL to an empty string as a "defense in depth" measure.
This is bug 18801.

Ensure that the tickler is always stubbed out, even on
Android (e.g., for Orfox).

We want to make sure Tracking Protection is disabled in Private Browsing
Mode (PBM) (as well). While that feature is disabled in non-PBM Mozilla
ships this enabled in its private mode we use.

Bump User Agent for switch to ESR 45.

Restore the portion of this fix that was not upstreamed as part of
https://bugzilla.mozilla.org/show_bug.cgi?id=232227: use properly
contrasting colors if the desktop theme specifies white on black
for text colors (see bug 7920). These color choices are not exposed
to content.

Backported for Tor Browser

The hardened Tor Browser based on ESR45 is working fine again without
disabling the startup cache. We should enable it again even if the
performance win is probably minor.

Add an --enable-tor-browser-data-outside-app-dir configure option.
When this is enabled, all user data is stored in a directory named
TorBrowser-Data which is located next to the application directory.

The first time an updated browser is opened, migrate the existing
browser profile, Tor data directory contents, and UpdateInfo to the
TorBrowser-Data directory. If migration of the browser profile
fails, an error alert is displayed and the browser is started
using a new profile.

Display an informative error messages if the TorBrowser-Data
directory cannot be created due to an "access denied" or a
"read only volume" error.

Add support for installing "override" preferences within the user's
browser profile. All .js files in distribution/preferences (on
Mac OS, Contents/Resources/distribution/preferences) will be copied
to the preferences directory within the user's browser profile when
the profile is created and each time Tor Browser is updated. This
mechanism will be used to install the extension-overrides.js file
into the profile.

On Mac OS, add support for the --invisible command line option which
is used by the meek-http-helper to avoid showing an icon for the
helper browser on the dock.

Temporarily disable staged updates on Windows.

Add an about:tbupdate page that displays the first section from
TorBrowser/Docs/ChangeLog.txt and includes a link to the remote
post-update page (typically our blog entry for the release).

This is part of our plan to rotate the main key used for signing MAR
files about once a year to make. This is a defense in depth measure as
there is no official way for revoking MAR signing keys.

We begin with just replacing the secondary key as this one got mostly
used to sign MAR files over the last year.

Replace Mozilla's MAR signing certificates with our own.
Configure with --enable-signmar (build the signmar tool).
Configure with --enable-verify-mar (when updating, require a valid signature
  on the MAR file before it is applied).
Use the Tor Browser version instead of the Firefox version inside the
  MAR file info block (necessary to prevent downgrade attacks).
Use NSS on all platforms for checking MAR signatures (Mozilla plans to use
  OS-native APIs on Mac OS and they already do so on Windows). So that the
  NSS and NSPR libraries the updater depends on can be found at runtime, we
  add the firefox directory to the shared library search path on all platforms.
Use SHA512-based MAR signatures instead of the SHA1-based ones that Mozilla
  uses. This is implemented inside MAR_USE_SHA512_RSA_SIG #ifdef's and with
  a signature algorithm ID of 512 to help avoid collisions with future work
  Mozilla might do in this area.
  See: https://bugzilla.mozilla.org/show_bug.cgi?id=1105689

New configure options:
  --with-tor-browser-version=VERSION # Pass TB version throughout build.
  --enable-tor-browser-update        # Enable bundle update behavior.
The following files are never updated:
  TorBrowser/Data/Browser/profiles.ini
  TorBrowser/Data/Browser/profile.default/bookmarks.html
  TorBrowser/Data/Tor/torrc
Mac OS: Store update metadata under TorBrowser/UpdateInfo.
Removed the %OS_VERSION% component from the update URL (13047) and
  added support for minSupportedOSVersion, an attribute of the
  <update> element that may be used to trigger Firefox's
  "unsupported platform" behavior.
Windows: disable "runas" code path in updater (15201).
Windows: avoid writing to the registry (16236).
Also includes fixes for tickets 13047, 13301, 13356, 13594, 15406,
  16014, and 16909.

When in permanent private browsing mode, always return false
for isAutomaticRestoreEnabled. This ensures that there will
not be any confusion inside nsBrowserContentHandler.defaultArgs
as to whether a one time session restore will occur.

Also, for consistency and in case someone looks at the pref,
avoid setting browser.sessionstore.resume_session = true during
browser shutdown.

This bug occurred when staging was not used during the update
process. On Windows it always occurred because staging is not
used even when it should be (see #18292).

Unless the -osint command line flag is used, the browser now defaults
to the equivalent of -no-remote.  There is a new -allow-remote flag that
may be used to restore the original (Firefox-like) default behavior.

…ative.

This should eliminate our need to rely on a wrapper script that
sets $HOME and launches Firefox with -profile.

Note that when the privacy.thirdparty.isolate pref. is set to 1 or 2,
we disable use of Broadcast Channels by SharedWorkers since we cannot
obtain the isolation host.

…omain

This patch handles blob URLs created and retrieved in Web Workers.

See also #15703 and #16429.

Conflicts:
	dom/base/ThirdPartyUtil.cpp

Conflicts:
	dom/base/ThirdPartyUtil.cpp

Also prevent DOM storage from ever writing to disk.