arthuredelstein / tor-browser Public

… via window & window.screen.

Make sure that
screen.orientation.angle -> 0 and
screen.orientation.type -> "landscape-primary"

Also refactors screen.mozOrientation.

This fixes the isolation issues on the Page Info dialog (both video and
audio related). See bug 18703 for more details.

Avoid special handling and use of "add-if" for unpacked add-ons
that are located under distribution/extensions (fixes bug #18951).

Disable Pocket feature (bug 18886)

Revert "Bug 1159090 - Only append library path for updater if it is a unique value. r=rstrong"

This reverts commit 5c4fcaf.

…ache

Also tests for isolation of WorkerGlobalScope.importScripts()
https://bugs.torproject.org/18890

There should be no need to remove the OS X support introduced in
https://bugzilla.mozilla.org/show_bug.cgi?id=1225726 as enabling this
is governed by a preference (which is actually set to `false`). However,
we remove it at build time as well (defense in depth).

This is basically a backout of the relevant passages of
https://hg.mozilla.org/mozilla-central/rev/6bfb430de85d,
https://hg.mozilla.org/mozilla-central/rev/609b337bf7ab and
https://hg.mozilla.org/mozilla-central/rev/8e092ec5fbbd.

Instead of using the local computer's IP address within
symlink-based profile lock signatures, always use 127.0.0.1.

This patch fixes bug 16874 and 18767 as well.

Mozilla introduced extension signing as a way to make it harder for an
attacker to get a malicious add-on running in a user's browser. See:
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience
and https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/
for some background information.

In ESR45 this feature is enabled by default and we exempt both our own
extensions and EFF's HTTPS-Everywhere from this requirement.

Ensure that the tickler is always stubbed out, even on
Android (e.g., for Orfox).

Restore the portion of this fix that was not upstreamed as part of
https://bugzilla.mozilla.org/show_bug.cgi?id=232227: use properly
contrasting colors if the desktop theme specifies white on black
for text colors (see bug 7920). These color choices are not exposed
to content.

Backported for Tor Browser

The hardened Tor Browser based on ESR45 is working fine again without
disabling the startup cache. We should enable it again even if the
performance win is probably minor.

Add an --enable-tor-browser-data-outside-app-dir configure option.
When this is enabled, all user data is stored in a directory named
TorBrowser-Data which is located next to the application directory.

The first time an updated browser is opened, migrate the existing
browser profile, Tor data directory contents, and UpdateInfo to the
TorBrowser-Data directory. If migration of the browser profile
fails, an error alert is displayed and the browser is started
using a new profile.

Display an informative error messages if the TorBrowser-Data
directory cannot be created due to an "access denied" or a
"read only volume" error.

Add support for installing "override" preferences within the user's
browser profile. All .js files in distribution/preferences (on
Mac OS, Contents/Resources/distribution/preferences) will be copied
to the preferences directory within the user's browser profile when
the profile is created and each time Tor Browser is updated. This
mechanism will be used to install the extension-overrides.js file
into the profile.

On Mac OS, add support for the --invisible command line option which
is used by the meek-http-helper to avoid showing an icon for the
helper browser on the dock.

Temporarily disable staged updates on Windows.

Add an about:tbupdate page that displays the first section from
TorBrowser/Docs/ChangeLog.txt and includes a link to the remote
post-update page (typically our blog entry for the release).

This is part of our plan to rotate the main key used for signing MAR
files about once a year to make. This is a defense in depth measure as
there is no official way for revoking MAR signing keys.

We begin with just replacing the secondary key as this one got mostly
used to sign MAR files over the last year.

Replace Mozilla's MAR signing certificates with our own.
Configure with --enable-signmar (build the signmar tool).
Configure with --enable-verify-mar (when updating, require a valid signature
  on the MAR file before it is applied).
Use the Tor Browser version instead of the Firefox version inside the
  MAR file info block (necessary to prevent downgrade attacks).
Use NSS on all platforms for checking MAR signatures (Mozilla plans to use
  OS-native APIs on Mac OS and they already do so on Windows). So that the
  NSS and NSPR libraries the updater depends on can be found at runtime, we
  add the firefox directory to the shared library search path on all platforms.
Use SHA512-based MAR signatures instead of the SHA1-based ones that Mozilla
  uses. This is implemented inside MAR_USE_SHA512_RSA_SIG #ifdef's and with
  a signature algorithm ID of 512 to help avoid collisions with future work
  Mozilla might do in this area.
  See: https://bugzilla.mozilla.org/show_bug.cgi?id=1105689

New configure options:
  --with-tor-browser-version=VERSION # Pass TB version throughout build.
  --enable-tor-browser-update        # Enable bundle update behavior.
The following files are never updated:
  TorBrowser/Data/Browser/profiles.ini
  TorBrowser/Data/Browser/profile.default/bookmarks.html
  TorBrowser/Data/Tor/torrc
Mac OS: Store update metadata under TorBrowser/UpdateInfo.
Removed the %OS_VERSION% component from the update URL (13047) and
  added support for minSupportedOSVersion, an attribute of the
  <update> element that may be used to trigger Firefox's
  "unsupported platform" behavior.
Windows: disable "runas" code path in updater (15201).
Windows: avoid writing to the registry (16236).
Also includes fixes for tickets 13047, 13301, 13356, 13594, 15406,
  16014, and 16909.

When in permanent private browsing mode, always return false
for isAutomaticRestoreEnabled. This ensures that there will
not be any confusion inside nsBrowserContentHandler.defaultArgs
as to whether a one time session restore will occur.

Also, for consistency and in case someone looks at the pref,
avoid setting browser.sessionstore.resume_session = true during
browser shutdown.

This bug occurred when staging was not used during the update
process. On Windows it always occurred because staging is not
used even when it should be (see #18292).

Unless the -osint command line flag is used, the browser now defaults
to the equivalent of -no-remote.  There is a new -allow-remote flag that
may be used to restore the original (Firefox-like) default behavior.

…ative.

This should eliminate our need to rely on a wrapper script that
sets $HOME and launches Firefox with -profile.

Note that when the privacy.thirdparty.isolate pref. is set to 1 or 2,
we disable use of Broadcast Channels by SharedWorkers since we cannot
obtain the isolation host.

…omain