arthuredelstein / tor-browser Public

This is https://bugzilla.mozilla.org/show_bug.cgi?id=1351278

Bug 19316: change update URL from update_2 to update_3

It's not clear if it is still needed but we take it to be on the safe
side. This closes #21868.

Bug 19316: add support for a minInstructionSet attribute in the update
manifests.

… to the main thread. r=rstrong

MozReview-Commit-ID: LMoxF5yfXq2

--HG--
extra : rebase_source : c206e32bf8abf1aa225901ff5cde390a8a2ecec7

…ine from the main thread. r=rstrong

MozReview-Commit-ID: 9nOgB6z8ooE

--HG--
extra : rebase_source : 6a6a18f64297a0bd44e7d6f49b1812e035636e4c

In Mozilla bug 1324780, support for building with glib 2.28 (the version
available in CentOS 6) was added. However we are building on Debian
Wheezy which has glib 2.32. We fix that by backing out all glib > 2.28
code paths.

…ill not be enforced to rounded sizes when fingerprinting resistance is enabled. r?ehsan

A browser chrome test which ensures the dialog windows will not be enforced to
be rounded sizes when fingerprinting resistance is enabled.

MozReview-Commit-ID: LQG13FMANav

… rounded dimensions if it is

a window without a primary content when fingerprinting resistance is enabled. r?ehsan

This patch making the nsXULWindow::ForceRoundedDimensions() will only be called
when this window is a window which has a primary content when fingerprinting
resistance is enabled.

This will fix the problem that dialog windows are incorrectly resized after
fingerprinting resistance is enabled.

MozReview-Commit-ID: 6WD6c38CTPv

Always use the policies associated with the esr update channel so that
the e10s behavior is the same for all Tor Browser builds.

This reverts commit 6fd5ac8.

Use GTK2 for hardened-builds as well.

Update the user agent we set to a Windows ESR 52 one.

Bug 21239: Use GTK2 for ESR52 Linux builds

MozReview-Commit-ID: A41UJ6OHvP7

--HG--
extra : rebase_source : 0191c1bbece94bb9dabbf2daf56351a624efa481

This is tjr's workaround for bug 1331335.

Patch by Jacek Caban

…esses on Windows. r=mhowell,tjr

This is an exploit mitigation which causes the Windows system allocator to abort
in the event it is in a corrupted state, rather than attempt to proceed in a
potentially exploitable state.

Because we use jemalloc, this only affects system libraries or plugins which
still use the system allocator.

The has been enabled on our content processes for a while without incident.

r=mhowell,tjr

MozReview-Commit-ID: 5ctXugtbI1A

--HG--
extra : rebase_source : f6f134404be3b258a8e522c22fa061c32a47e313

This is due to an improper implementation of the WebSocket spec by Mozilla.

"There MUST be no more than one connection in a CONNECTING state.  If multiple
connections to the same IP address are attempted simultaneously, the client
MUST serialize them so that there is no more than one connection at a time
running through the following steps.

If the client cannot determine the IP address of the remote host (for
example, because all communication is being done through a proxy server that
performs DNS queries itself), then the client MUST assume for the purposes of
this step that each host name refers to a distinct remote host,"

https://tools.ietf.org/html/rfc6455#page-15

They implmented the first paragraph, but not the second...

While we're at it, we also prevent the DNS service from being used to look up
anything other than IP addresses if socks_remote_dns is set to true, so this
bug can't turn up in other components or due to 3rd party addons.

CFBundleIdentifiers can only contain [A-Za-z.-], and by convention
the app component is lowercase and does not contain '.'.

Make configure delete all characters other than [a-z-] when generating
MOZ_MACBUNDLE_ID from MOZ_APP_DISPLAYNAME.

(This affects "Tor Browser", but not "Firefox".)

When macOS opens a document or selects a default browser, it sometimes
uses the CFBundleSignature. Changing from the Firefox MOZB signature to
a different signature TORB allows macOS to distinguish between Firefox
and Tor Browser.

ASan builds with GCC are broken without this patch. The much more involved
one landed on mozilla-central a while ago but missed the ESR 52 train by
three days.

Mozilla introduced extension signing as a way to make it harder for an
attacker to get a malicious add-on running in a user's browser. See:
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience
and https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/
for some background information.

In ESR45 this feature is enabled by default and we exempt both our own
extensions and EFF's HTTPS-Everywhere from this requirement.

… r=bagder,mayhemer

MozReview-Commit-ID: Gvm88q26VHK

--HG--
extra : rebase_source : 188b65cba6b4ecb243b4b6ab8c55733f82217567

…=arthuredelstein,smaug

This patch adds two more test cases, browser_roundedWindow_open.js and
browser_roundedWindow_windowSetting.js. The browser_roundedWindow_open.js tests
the window.open() with window features, it will test window.open() with numbers
of window features to see that whether the opened window is correctly rounded.

The browser_roundedWindow_windowSetting.js tests the setting of
innerWidth/Height and outerWidth/Height. To see that the window is correctly
rounded or not after the setting.

This patch also adds a head.js and rename the browser_roundedWindow.js to
browser_roundedWindow_newWindow.js. The head.js carries two helper functions
that calculate the maximum available content size and the chrome UI size of
the pop up window.

MozReview-Commit-ID: LxJ2h2qAanY

--HG--
extra : rebase_source : b3744155fda93bd9e1650d07db7105092a2e5260

…windows and the inner window will be automatically rounded after setting size through innerWidth/Height and outerWidth/Height when fingerprinting resistance is enabled. r=smaug

    This patch makes the size of inner windows will be automatically rounded for
    either window.open() with window features or setting window size through
    innerWidth/Height and outerWidth/Height when fingerprinting resistance is
    enabled. If the given value is greater the maximum available rounded size, then
    it will be set to the maximum value. Otherwise, the size will be set to the
    nearest upper 200x100.

    This patch also adds one helper function in nsContentUtils for calculating the
    rounded window dimensions.

    MozReview-Commit-ID: J2r3951vuNN

    --HG--
    extra : rebase_source : a44b19bdf2ce7e90fc831ddc2b85a86d594cb0c3

…ded size when fingerprinting resistance is enabled. r=arthuredelstein,smaug

MozReview-Commit-ID: Gvksnh3cKHM

--HG--
extra : rebase_source : cae848ca467af34c08bff7190dce50cffa1399cc

…ize when fingerprinting resistance is enabled. r=arthuredelstein,mikedeboer

MozReview-Commit-ID: F1Ray6c5dzq

--HG--
extra : rebase_source : ed299058bf6f926e5987468dcab518b110fd7220

Conflicts:
	browser/components/sessionstore/SessionStore.jsm

…erprinting resistance is enabled (adopt from Tor #19459). r=arthuredelstein,smaug

MozReview-Commit-ID: 1qBNQhfdIYP

--HG--
extra : rebase_source : c46b4a936960ff165f950a59c1d31c1c5849645f

 remove Amazon, eBay, bing

eBay and Amazon don't treat Tor users very well. Accounts often get locked and
payments reversed.

Also:
Bug 16322: Update DuckDuckGo search engine

We are replacing the clearnet URL with an onion service one (thanks to a
patch by a cypherpunk) and are removing the duplicated DDG search
engine. Duplicating DDG happend due to bug 1061736 where Mozilla
included DDG itself into Firefox. Interestingly, this caused breaking
the DDG search if JavaScript is disabled as the Mozilla engine, which
gets loaded earlier, does not use the html version of the search page.
Moreover, the Mozilla engine tracked where the users were searching from
by adding a respective parameter to the search query. We got rid of that
feature as well.

Also:
This fixes bug 20809: the DuckDuckGo team has changed its server-side
code in a way that lets users with JavaScript enabled use the default
landing page while those without JavaScript available get redirected
directly to the non-JS page. We adapt the search engine URLs
accordingly.