Project

General

Profile

Feature #15023

Upgrade to Tor Browser based on Firefox ESR60

Added by intrigeri almost 2 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
08/30/2017
Due date:
08/09/2018
% Done:

100%

Estimated time:
(Total: 6.00 h)
Feature Branch:
feature/15023-tor-browser-8, torbrowser-launcher:feature/15023-tor-browser-8
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Browser

Description

Relevant upstream tickets: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff60-esr&max=256

Foreseeable issues:

  • See subtasks.
  • Likely there will be a non-XUL (or system add-on) Tor Launcher to migrate to.
  • Likely Torbutton will be installed in a different manner. XXX: reference needed
  • sandboxing improvements require unprivileged user namespaces to be enabled + some AppArmor tweaks: is the risk/benefit worth it? this does not have to be solved as part of this ticket but it's something to keep in mind and if not dealt with here, a follow-up ticket shall be created

Subtasks

Bug #14555: Migrate to Tor Launcher compatible with Firefox ESR60 Resolved

Feature #15530: Start upgrading to Tor Browser based on Firefox ESR60Rejected

Feature #15531: Update plans and timeline wrt. upgrading to Tor Browser based on Firefox 60ESRResolved

Feature #15701: Adapt and run our test suite for Tor Browser 8Resolved

Feature #15702: Adjust to uBlock web extensionResolved

Feature #15703: Check that all our custom browser prefs are taken into account with Firefox ESR60Resolved

Feature #15704: Check what to do wrt. the libmozsandbox.so loading errorResolved

Feature #15705: Review current state of feature/15023-tor-browser-8Resolved

Bug #15707: Our custom extensions.torbutton.launch_warning is not honoredResolved

Bug #15708: The Unsafe Browser lacks some of our customization with Firefox ESR60Resolved

Bug #15716: Check Tor Browser 8 memory usageResolved

Bug #15717: Firefox' "Web Content" processes are not confined as strictly as they used toResolved

Bug #15719: Our custom bookmarks are not enabled in Tor Browser 8 in a non-English sessionRejected

Feature #15773: Tor Browser 8 can't install new addonsRejected

Bug #15777: NoScript and HTTPS Everywhere icons are not shown on first startResolved


Related issues

Related to Tails - Bug #15092: Update our 2018 release schedule wrt. new Firefox ESR plans Resolved 12/22/2017
Related to Tails - Feature #12571: Find a nicer way to add exceptions from mandatory signing for our Tor Browser add-ons Confirmed 05/19/2017
Related to Tails - Bug #15706: Tor Browser 8 always prompts wrt. asking webpages in English Resolved 07/03/2018
Blocks Tails - Feature #15334: Core work 2018Q3: Foundations Team Resolved 02/20/2018
Blocks Tails - Bug #14962: Tor Browser >= 7.0.8 fails to render local pages correctly Resolved 11/16/2017
Blocks Tails - Feature #15720: Use Tor Browser for offline documentation and drop the documentation browser Resolved 07/06/2018
Blocks Tails - Bug #14771: Retrying mechanism for the "I open the address" step is buggy in the Unsafe Browser Resolved 10/04/2017
Blocks Tails - Feature #7759: Chroot browsers should use their own icons Resolved
Blocks Tails - Bug #15725: Are recent Firefox sandboxing improvements worth enabling unprivileged user namespaces? Confirmed 07/10/2018
Blocks Tails - Bug #15101: Add feedback when opening desktop launchers Resolved 12/25/2017
Blocks Tails - Bug #11711: "The Unsafe Browser can be used in all languages supported in Tails" test is broken for locales that have a translated homepage Resolved 08/24/2016

Associated revisions

Revision 7b518f36 (diff)
Added by intrigeri over 1 year ago

Calendar: add plan for porting Tails to Tor Browser based on Firefox 60ESR (refs: #15023)

Revision f1bd9e8f (diff)
Added by intrigeri about 1 year ago

Extract strip_nondeterminism stuff into its own function (refs: #15023)

We'll need to do other operations that modify omni.ja, so let's decouple
this from the ad-hoc place where it was originally.

Revision b55fff9f (diff)
Added by intrigeri about 1 year ago

Adjust extensions prefs patching: they're now bundled in omni.ja (refs: #15023).

Revision f546ed81 (diff)
Added by intrigeri about 1 year ago

Stop generating localized Startpage search engines (refs: #15023)

We've switched to DuckDuckGo 1.5 years ago and have no plans to move back.
But still, stop deleting the Startpage search engine(s) shipped with
Tor Browser.

Revision 4bdf4ab3 (diff)
Added by intrigeri about 1 year ago

Browser search engines: add descriptions for new Tor Browser locales (refs: #15023).

Revision ae5c1fe8 (diff)
Added by intrigeri about 1 year ago

Install spellchecker dictionaries for new Tor Browser locales (refs: #15023).

Revision 7ad75e22 (diff)
Added by intrigeri about 1 year ago

Install spellchecker dictionaries for Tor Browser locales than now have a one in Stretch (refs: #15023).

Revision 4aa3b7d3 (diff)
Added by intrigeri about 1 year ago

Onion Grater: allow Tor Browser to do "GETINFO net/listeners/socks" (refs: #15023)

Without this, Tor Browser 8.0a9 tells us it cannot connect to tor.

Revision e69b5113 (diff)
Added by intrigeri about 1 year ago

Update Tor Browser icon location (refs: #15023)

Revision 8b7dbd13 (diff)
Added by intrigeri about 1 year ago

Set localization Tor Browser prefs directly in prefs.js (refs: #15023)

preferences/0000locale.js is apparently ignored.

Revision 2e84dad3 (diff)
Added by intrigeri about 1 year ago

Drop search engine customization and stick to Tor Browser's defaults (refs: #15023)

This area has become a recurring PITA across major Firefox upgrades,
needing more and more hacks every time. Now it's broken again for ESR60.
Let's drop the ball: if we really need something special, we can talk
to the Tor Browser team..

Revision b959708b (diff)
Added by intrigeri about 1 year ago

Install uBlock Origin webext instead of xul-ext (refs: #15023)

Revision 48d28415 (diff)
Added by intrigeri about 1 year ago

Test suite: update list of libs that Tor Launcher is known not to use (refs: #15023)

Revision 6f6d7983 (diff)
Added by intrigeri about 1 year ago

Give the Unsafe Browser access to /dev/shm (refs: #15023)

Otherwise it fails to render anything and its window is filled with black.

https://bugzilla.mozilla.org/show_bug.cgi?id=1450169

Revision 559b1d23 (diff)
Added by intrigeri about 1 year ago

AppArmor: give Tor Browser access to the system-wide webext directory (refs: #15023)

… otherwise uBlock cannot be loaded.

Revision 212b62c4 (diff)
Added by intrigeri about 1 year ago

Fix the chrooted browsers prefs (refs: #15023)

Revision f7f4bcb5 (diff)
Added by intrigeri about 1 year ago

Move our Tor Browser prefs to user.js (refs: #15023)

I can't manage to have them be taken into account. Presumably
this would be doable by adding them to omni.ja but let's not bother:
I see little downside to simplify things here.

Revision 1c2c85fc (diff)
Added by intrigeri about 1 year ago

Test suite: adjust for Tor Browser 8 (refs: #15023)

There's no "document frame" anymore, now it's a "frame".
And we don't need the special case about "Getting started…"
since we don't point there anymore.

Revision 9757969e (diff)
Added by intrigeri about 1 year ago

Display the Stop/Reload button in Tor Browser: our test suite currently depends on it (refs: #15023)

I could not find another reliable way to tell whether a page has loaded. I've
added a note on #11592 to revert this commit and find a better way, whenever we
work on this (fragile) part of our test suite.

Revision acbf458a (diff)
Added by intrigeri about 1 year ago

Test suite: adjust Reload button name for Tor Browser 8 (refs: #15023)

Revision cbeee47a (diff)
Added by intrigeri about 1 year ago

Rename function to better express its current job (refs: #15023)

Revision b52a5596 (diff)
Added by intrigeri about 1 year ago

Bundle our custom prefs into the Tor Browser's omni.ja (refs: #15023)

Shipping them in user.js has a few downsides:

- They override whatever is in prefs.js so basically prefs in user.js are
locked: any modification done in about:config will be reverted next time Tor
Browser starts, which can be a PITA when developing Tails.
- In about:config, all these prefs are listed as modified by the user,
which feels wrong.
- It makes it harder for derivatives to implement things properly.

Revision 2a962df4 (diff)
Added by intrigeri about 1 year ago

Remove now useless Tor Browser pref (refs: #15023)

The Tor check done by Torbutton now works fine, no need to disable it anymore.

Revision 743b669d (diff)
Added by intrigeri about 1 year ago

Switch to new pref name (refs: #15023)

Revision 560b27f2 (diff)
Added by intrigeri about 1 year ago

Test suite: adjust looking for errors for Tor Browser 8 (refs: #15023)

Revision 1725d02c (diff)
Added by intrigeri about 1 year ago

AppArmor: fix "Save Page As" with Tor Browser 8.0a9 (refs: #15023)

Cherry-picked from
https://github.com/micahflee/torbrowser-launcher/commit/ad95bbda69045f3c9ace241939ee9e1fccc16ac8

Revision 20552f37 (diff)
Added by intrigeri about 1 year ago

Enable e10s in the Unsafe Browser (refs: #15023)

It now works just fine with Firefox ESR60.

Revision 7afb7fd2 (diff)
Added by intrigeri about 1 year ago

Test suite: update image for Firefox 60 (refs: #15023)

Revision c5a7b28e (diff)
Added by intrigeri about 1 year ago

Test suite: take into account that the Reload button now looks different in the Unsafe Browser than in Tor Browser (refs: #15023)

It has the red theme applied.

Revision 72f3d061 (diff)
Added by intrigeri about 1 year ago

Test suite: update images for Firefox 60 (refs: #15023)

Revision 7993030c (diff)
Added by intrigeri about 1 year ago

Test suite: update printing test for Tor Browser 8 GUI (refs: #15023)

It now uses the system GTK3 dialog.

Revision 9e307d9c (diff)
Added by intrigeri about 1 year ago

Test suite: fix clicking the Print button in Tor Browser (refs: #15023)

Mixing Dogtail and Sikuli is tricky: in this case, Dogtail pretended it had
clicked the Print button, but that was before the output file selection dialog
had disappeared, so that click did nothing. So let's do the same as in the
Evince test, that works in a robust manner.

Revision 6a221c4d (diff)
Added by intrigeri about 1 year ago

Test suite: adapt file saving dialog to Firefox 60 (refs: #15023)

… and incidentally, this image can be used by future tests of other GTK3 apps.

Revision 209de345 (diff)
Added by intrigeri about 1 year ago

Test suite: give 3 virtual CPUs to the system under test (refs: #15023).

… otherwise the "Watching a WebM video" test fails ("No video with supported
format and MIME type found.") and I see this in the Journal:

Jul 04 09:25:39 amnesia tor-browser.desktop[9040]: [Child 9313, MediaPlayback #3] WARNING: Decoder=7e6a6a774200 state=DECODING_METADATA Decode metadata failed, shutting down decoder: file /var/tmp/build/firefox-a0efd2fcd6e9/dom/media/MediaDecoderStateMachine.cpp, line 379
Jul 04 09:25:39 amnesia tor-browser.desktop[9040]: [Child 9313, MediaPlayback #3] WARNING: Decoder=7e6a6a774200 Decode error: NS_ERROR_DOM_MEDIA_METADATA_ERR (0x806e0006): file /var/tmp/build/firefox-a0efd2fcd6e9/dom/media/MediaDecoderStateMachine.cpp, line 3445

We already had to bump the number of vCPUs to 2 for the exact same reason.
I suspect that increased e10s usage has something to do with it.

I can't reproduce the bug and that video plays just fine with only 2 vCPUs on
a manual testing VM of mine, so I'll call this a test suite only issue.

Revision 391d9eaa (diff)
Added by intrigeri about 1 year ago

Test suite: handle the fact that the browser address bar is initialized lazily (refs: #15023)

Initially it says "Search or enter address" and after some actions it says
"Search with DuckDuckGo or enter address", both in Tor Browser, Unsafe
Browser, and Tor Browser 8.0a9 outside of Tails.

Revision 2a192d60 (diff)
Added by intrigeri about 1 year ago

Test suite: update image for Tor Browser 8 (refs: #15023)

Revision b5fac998 (diff)
Added by intrigeri about 1 year ago

Test suite: update Unsafe Browser proxy tests for Firefox 60 (refs: #15023)

… and factorize a bunch of lines in passing.

Revision ec0699be (diff)
Added by intrigeri about 1 year ago

Test suite: make the audio test more robust (refs: #15023)

I did not manage to make it robust enough with Firefox 60 and this test was
never meant to exercise the HTML5 player: it was introduced
(136db50c290dd2c13392f3493ad518e6c969fa56) to ensure our AppArmor
confinement for Tor Browser did not break audio playback, so let's
do this and not more, just like we're doing for the video test as well.

Revision d0f2eff0 (diff)
Added by intrigeri about 1 year ago

Test suite: wait on page load before trying to save it (refs: #15023)

Revision 53c8d69c (diff)
Added by intrigeri about 1 year ago

Test suite: adjust to new default Firefox bookmark (refs: #15023)

Revision 2dcf92c0 (diff)
Added by intrigeri about 1 year ago

Test suite: use a more reliable URL for the audio test (refs: #15023)

Apparently the previous host is not delivering the data we need reliably. We're
already relying on a remote host that's not under our control, so we can as well
switch to one that's on infrastructure that has a better chance to be reliable.

Revision 9baca2e3 (diff)
Added by intrigeri about 1 year ago

Give Tor Browser's Web Content process some more access it now needs (refs: #15023).

Revision 0c62d10d (diff)
Added by intrigeri about 1 year ago

Revert "Test suite: give 3 virtual CPUs to the system under test (refs: #15023)."

Since I made this change, I've seen the error that this vCPUs bump was supposed
to fix even with 4 vCPUs, but I've not seen it since I've added retry_tor
magics to the relevant scenario in f255a4ede6ab285287556e39e358110e513132b1.
So even though the number of vCPUs might help reduce the risk of seeing
this error, it's not sufficient and I'd rather count on the retry_tor
magics.

This reverts commit 209de345a373163f2dd62404cd655f4920678021.

Revision 8bb1b080 (diff)
Added by intrigeri about 1 year ago

Test suite: take into account that newly supported he_IL Tor Browser locale is RTL (refs: #15023).

Revision b6406c23 (diff)
Added by intrigeri about 1 year ago

Test suite: update Torbutton icon for Tor Browser 8 (refs: #15023)

Revision 838a57b3 (diff)
Added by intrigeri about 1 year ago

Refactor: DRY tbb_timestamp (refs: #15023)

Revision 13584472 (diff)
Added by intrigeri about 1 year ago

Give the Unsafe Browser its own /dev/shm instead of bind-mounting the host system's one (refs: #15023)

Revision 85392012 (diff)
Added by intrigeri about 1 year ago

Test suite: take into account another RTL locale (refs: #15023).

Revision 2ca433cb
Added by intrigeri about 1 year ago

Merge branch 'feature/15023-tor-browser-8' into devel (Fix-committed: #15023)

History

#1 Updated by intrigeri almost 2 years ago

  • Description updated (diff)

#2 Updated by intrigeri over 1 year ago

  • Subject changed from Upgrade to Tor Browser based on Firefox 59 ESR to Upgrade to Tor Browser based on Firefox ESR60

I'll update the target version once https://lists.torproject.org/pipermail/tbb-dev/2017-December/000701.html reaches an actionable conclusion.

#3 Updated by intrigeri over 1 year ago

  • Related to Bug #15092: Update our 2018 release schedule wrt. new Firefox ESR plans added

#4 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.8 to Tails_3.9

#5 Updated by intrigeri over 1 year ago

  • Status changed from Confirmed to In Progress

#6 Updated by intrigeri over 1 year ago

#7 Updated by intrigeri over 1 year ago

  • Description updated (diff)

#8 Updated by intrigeri over 1 year ago

  • Description updated (diff)

#9 Updated by intrigeri over 1 year ago

  • Description updated (diff)

#10 Updated by intrigeri over 1 year ago

  • Description updated (diff)

#11 Updated by intrigeri over 1 year ago

FTR a first TB Linux nightly based on ESR 60 is planned for this week :)

#12 Updated by intrigeri over 1 year ago

… and the 60.2 release date has changed again. It's now later than planned initially which will make things easier for us! :)

#13 Updated by intrigeri over 1 year ago

  • Related to Feature #12571: Find a nicer way to add exceptions from mandatory signing for our Tor Browser add-ons added

#14 Updated by intrigeri about 1 year ago

The first TB alpha based on ESR60 is there: https://lists.torproject.org/pipermail/tor-qa/2018-June/000942.html :)

#15 Updated by intrigeri about 1 year ago

  • Blocks Bug #14962: Tor Browser >= 7.0.8 fails to render local pages correctly added

#16 Updated by intrigeri about 1 year ago

  • Assignee changed from anonym to intrigeri

We'll decide on #15531 how we'll handle this.

#17 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to segfault

segfault will give it a first try by next Tuesday and then we'll meet to plan the next steps.

#18 Updated by intrigeri about 1 year ago

  • Feature Branch set to feature/15023-tor-browser-8

#19 Updated by intrigeri about 1 year ago

Got an ISO that builds! First issues identified via random manual testing:

  • missing icon in the apps menu
  • "Something Went Wrong! Tor is not working in this browser", fixed by allowing GETINFO net/listeners/socks in onion grater
  • no circuits display in the onion menu
  • ublock is not enabled, possibly the way we patch stuff in apply_extension_code_signing_hacks is broken
  • default search engine is YouTube, maybe that's what people want these days but I'd rather stick to DDG like Tor Browser upstream
  • a few AppArmor denials that might explain some of the above
  • in about:addons → Languages, all language packs are flagged as "could not be verified". I guess we'll have to live with it.
  • our custom homepage is not loaded: about:tor is
  • ERROR: ld.so: object 'libmozsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. (after patching the AppArmor profile to allow reading /etc/ld.so.conf,{.d,.d/*}; looks like we need to teach Tor Browser where its libraries live; next step: look at changes in the start-tor-browser script that we should import

#20 Updated by intrigeri about 1 year ago

intrigeri wrote:

  • missing icon in the apps menu

Fixed in Git.

  • "Something Went Wrong! Tor is not working in this browser", fixed by allowing GETINFO net/listeners/socks in onion grater

Fixed in Git.

  • no circuits display in the onion menu

Actually, that's because this has been moved to the identity box in the URL bar domain and there it works fine.

  • ublock is not enabled, possibly the way we patch stuff in apply_extension_code_signing_hacks is broken

Later.

  • default search engine is YouTube, maybe that's what people want these days but I'd rather stick to DDG like Tor Browser upstream
  • our custom homepage is not loaded: about:tor is

It looks like /etc/tor-browser/locale-profiles/ is not considered anymore, which explains these 2 issues.

  • ERROR: ld.so: object 'libmozsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. (after patching the AppArmor profile to allow reading /etc/ld.so.conf,{.d,.d/*}; looks like we need to teach Tor Browser where its libraries live; next step: look at changes in the start-tor-browser script that we should import

Later. Next step: reproduce with pristine Tor Browser 8.0aN outside of Tails.

#21 Updated by intrigeri about 1 year ago

intrigeri wrote:

  • ublock is not enabled, possibly the way we patch stuff in apply_extension_code_signing_hacks is broken

Later.

  • default search engine is YouTube, maybe that's what people want these days but I'd rather stick to DDG like Tor Browser upstream
  • our custom homepage is not loaded: about:tor is

It looks like /etc/tor-browser/locale-profiles/ is not considered anymore, which explains these 2 issues.

Fixed in Git.

  • ERROR: ld.so: object 'libmozsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. (after patching the AppArmor profile to allow reading /etc/ld.so.conf,{.d,.d/*}; looks like we need to teach Tor Browser where its libraries live; next step: look at changes in the start-tor-browser script that we should import

Later. Next step: reproduce with pristine Tor Browser 8.0aN outside of Tails.

Also, localized search engines, that we install in /usr/local/lib/tor-browser/distribution/searchplugins/locale/, are not taken into account. So for non-English languages the default search engine remains YouTube. Note that pristine Firefox already ships localized Wikipedia search engines (browser/locales/searchplugins/) and has a per-locale list (browser/locales/search/list.json), that Tor Browser patches to remove localized search engines. This makes sense to me in terms of not leaking the user's locales unless they explicitly choose to do so. Given this area has been a recurring PITA to maintain accross major upgrades, I'm very tempted to just drop the ball and stick to Tor Browser's defaults.

#22 Updated by intrigeri about 1 year ago

  • Blocks Feature #10267: Test that the search plugins (disconnect.me, WP, and StartPage) are localized added

#23 Updated by intrigeri about 1 year ago

intrigeri wrote:

intrigeri wrote:

  • ublock is not enabled, possibly the way we patch stuff in apply_extension_code_signing_hacks is broken

Later.

Should be fixed in Git (locally, will push after testing).

  • ERROR: ld.so: object 'libmozsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. (after patching the AppArmor profile to allow reading /etc/ld.so.conf,{.d,.d/*}; looks like we need to teach Tor Browser where its libraries live; next step: look at changes in the start-tor-browser script that we should import

Later. Next step: reproduce with pristine Tor Browser 8.0aN outside of Tails.

Unchanged.

Also, localized search engines, that we install in /usr/local/lib/tor-browser/distribution/searchplugins/locale/, are not taken into account. So for non-English languages the default search engine remains YouTube. Note that pristine Firefox already ships localized Wikipedia search engines (browser/locales/searchplugins/) and has a per-locale list (browser/locales/search/list.json), that Tor Browser patches to remove localized search engines. This makes sense to me in terms of not leaking the user's locales unless they explicitly choose to do so. Given this area has been a recurring PITA to maintain accross major upgrades, I'm very tempted to just drop the ball and stick to Tor Browser's defaults.

Done.

Also, the Unsafe Browser window is entirely black.

#24 Updated by intrigeri about 1 year ago

intrigeri wrote:

  • ERROR: ld.so: object 'libmozsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. (after patching the AppArmor profile to allow reading /etc/ld.so.conf,{.d,.d/*}; looks like we need to teach Tor Browser where its libraries live; next step: look at changes in the start-tor-browser script that we should import

Later. Next step: reproduce with pristine Tor Browser 8.0aN outside of Tails.

Unchanged.

Also, the Unsafe Browser window is entirely black.

Fixed locally in Git but it lacks some of our customization:

  • it's listed as "Tor Browser" in the taskbar and in the window title
  • it has search engines (I thought we disabled them, got to check that)
  • it has the default Firefox bookmarks (not sure what we have usually, maybe not a problem)

And we need to check that our prefs are taken into account, both for the Unsafe Browser and for Tor Browser:

  • config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js, e.g. extensions.torbutton.lastUpdateCheck seems to be ignored
  • config/chroot_local-includes/etc/xul-ext/tor-launcher.js
  • all calls to set_mozilla_pref
    • destination file (some are now ignored)
    • adding the user_pref optional argument may be needed in some cases

*

#25 Updated by intrigeri about 1 year ago

intrigeri wrote:

intrigeri wrote:

  • ERROR: ld.so: object 'libmozsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. (after patching the AppArmor profile to allow reading /etc/ld.so.conf,{.d,.d/*}; looks like we need to teach Tor Browser where its libraries live; next step: look at changes in the start-tor-browser script that we should import

Later. Next step: reproduce with pristine Tor Browser 8.0aN outside of Tails.

Unchanged.

Also, the Unsafe Browser window is entirely black.

Fixed locally in Git but it lacks some of our customization:

  • it's listed as "Tor Browser" in the taskbar and in the window title
  • it has search engines (I thought we disabled them, got to check that)
  • it has the default Firefox bookmarks (not sure what we have usually, maybe not a problem)

And we need to check that our prefs are taken into account, both for the Unsafe Browser and for Tor Browser:

I think I've fixed it all in Git, but it would be good to double-check.

#26 Updated by intrigeri about 1 year ago

  • Description updated (diff)

#27 Updated by intrigeri about 1 year ago

  • Assignee changed from segfault to intrigeri

I've filed subtasks for the remaining problems mentionned above. Let's create new ones as we discover problems as a single Redmine discussion is not a good enough way to track them (it was OK for the initial investigation but it won't scale).

#28 Updated by intrigeri about 1 year ago

  • Description updated (diff)

#29 Updated by intrigeri about 1 year ago

  • Description updated (diff)

#30 Updated by intrigeri about 1 year ago

  • Feature Branch changed from feature/15023-tor-browser-8 to feature/15023-tor-browser-8, torbrowser-launcher:feature/15023-tor-browser-8

#31 Updated by intrigeri about 1 year ago

  • Blocks Feature #15720: Use Tor Browser for offline documentation and drop the documentation browser added

#32 Updated by intrigeri about 1 year ago

  • Blocks Bug #14771: Retrying mechanism for the "I open the address" step is buggy in the Unsafe Browser added

#33 Updated by intrigeri about 1 year ago

  • Blocks Feature #7759: Chroot browsers should use their own icons added

#34 Updated by intrigeri about 1 year ago

intrigeri wrote:

  • sandboxing improvements require unprivileged user namespaces to be enabled + some AppArmor tweaks: is the risk/benefit worth it? this does not have to be solved as part of this ticket but it's something to keep in mind and if not dealt with here, a follow-up ticket shall be created

Starting the discussion on #15725.

#35 Updated by intrigeri about 1 year ago

  • Description updated (diff)

#36 Updated by intrigeri about 1 year ago

  • Blocks Bug #15725: Are recent Firefox sandboxing improvements worth enabling unprivileged user namespaces? added

#37 Updated by intrigeri about 1 year ago

  • Blocks Bug #15101: Add feedback when opening desktop launchers added

#38 Updated by segfault about 1 year ago

I reviewed up to b959708bebf61e502c3f7bb6720ce41a921bf5c1 today.

My comments so far:

b55fff9f89c623b707d8c2a4e0fe893702d31785:

  • inconsistent indentation in apply_extension_prefs_hacks
  • I would put tbb_timestamp in a global variable instead of assigning it the same value in multiple functions

8b7dbd13d58c6e89cc9d3b5f69a9153347ea1ad6:

prefs.js is automatically generated by the application and should not be edited manually

Do NOT edit prefs.js directly.

The administrator may add an all-companyname.js preference file (install_directory/browser/defaults/preferences/all-companyname.js). This will be parsed last during the preference loading process.

  • configure_xulrunner_app_locale() is writing pref(...) to prefs.js - should that be user_pref(...)? (based on that prefs.js seems to only contain user_pref lines and you changed other lines to use user_pref in the same commit)

b959708bebf61e502c3f7bb6720ce41a921bf5c1:

  • webext-ublock-origin is back in buster since 2018-07-17 - should we install it from buster instead of sid?

#39 Updated by intrigeri about 1 year ago

Hi segfault!

I reviewed up to b959708bebf61e502c3f7bb6720ce41a921bf5c1 today.

Thanks a lot!

My comments so far:

b55fff9f89c623b707d8c2a4e0fe893702d31785:

  • inconsistent indentation in apply_extension_prefs_hacks

Right. Thankfully this code was removed later.

  • I would put tbb_timestamp in a global variable instead of assigning it the same value in multiple functions

Good idea, done locally and I'll now test it :)

8b7dbd13d58c6e89cc9d3b5f69a9153347ea1ad6:

  • Are you sure it is safe to edit to prefs.js directly?

Yes, as long as we do this before the browser is started. I'm basically following the lead of the Tor Browser build scripts do.

Maybe we should set our
default settings in a all-tails.js file instead. Quoting from
https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/A_brief_guide_to_Mozilla_preferences:

prefs.js is automatically generated by the application and should not be edited manually

Do NOT edit prefs.js directly.

I think that's meant for users. We do lots of things that Mozilla would not want end-users to do :)

The administrator may add an all-companyname.js preference file
(install_directory/browser/defaults/preferences/all-companyname.js). This will be
parsed last during the preference loading process.

This mechanism is meant for administrators who are able to modify the installed Tor Browser directory. This code is run as the amnesia user so we can't use this.

  • configure_xulrunner_app_locale() is writing pref(...) to prefs.js - should
    that be user_pref(...)? (based on that prefs.js seems to only contain user_pref
    lines and you changed other lines to use user_pref in the same commit)

Right. This was fixed in ac81013029d4e617dc6263edf65e903d07a5462b already.

b959708bebf61e502c3f7bb6720ce41a921bf5c1:

  • webext-ublock-origin is back in buster since 2018-07-17 - should we install it from buster instead of sid?

Debian testing has no security support; I prefer tracking a dist that gets the security fixes ASAP. Otherwise, for each package we pin to Buster, we need to track security issues & fixes manually.

#40 Updated by segfault about 1 year ago

6f6d798378d06064d3258273a0900d359d14702d:

I tested this and it's enough to mount a tmpfs on the chroot's /dev/shm, we don't have give it access to the root filesystem's /dev/shm.

#41 Updated by segfault about 1 year ago

2b521bc21581fe922782bb2e553b460c370da2d6:

Most of the Torbutton prefs removed here are still listed on https://www.torproject.org/docs/torbutton/en/design/index.html. Maybe we should create a ticket in the torproject trac if the prefs are not supported anymore.

#42 Updated by intrigeri about 1 year ago

Most of the Torbutton prefs removed here are still listed on https://www.torproject.org/docs/torbutton/en/design/index.html. Maybe we should create a ticket in the torproject trac if the prefs are not supported anymore.

Yeah, the Tor Browser desing doc is awfully outdated. https://trac.torproject.org/projects/tor/ticket/25021 already tracks this.

#43 Updated by intrigeri about 1 year ago

I tested this and it's enough to mount a tmpfs on the chroot's /dev/shm, we don't have give it access to the root filesystem's /dev/shm.

Great idea, implemented!

#44 Updated by segfault about 1 year ago

9757969e891054b2b259ea63b1d2a97c568a59ba:

I don't see a Stop/Reload button in my test build. And browser.uiCustomization.state in about:config doesn't include stop-reload-button.

#45 Updated by segfault about 1 year ago

9757969e891054b2b259ea63b1d2a97c568a59ba:

I don't see a Stop/Reload button in my test build. And browser.uiCustomization.state in about:config doesn't include stop-reload-button.

Nevermind, that's because my test build doesn't include this commit (which is strange, because the commit is from July 3 and I built the branch last week, but whatever).

#46 Updated by segfault about 1 year ago

0bcdc8ad14374f5c4e91807a84ece82a20e684a0:

I don't understand the purpose of the changed line. Can you explain the effect of that line?

#47 Updated by segfault about 1 year ago

segfault wrote:

0bcdc8ad14374f5c4e91807a84ece82a20e684a0:

I don't understand the purpose of the changed line. Can you explain the effect of that line?

Same for the change in 6d681cd90343bb4e7ef6e7d49241dbb744063b34.

#48 Updated by segfault about 1 year ago

f255a4ede6ab285287556e39e358110e513132b1:

In the recovery method, what's the purpose of hitting Escape and then waiting for the reload button to vanish? I thought that maybe this should stop loading the page, but then it should be the stop button that vanishes.

#49 Updated by segfault about 1 year ago

I'm done with the review up to 85392012d5dc8b5934286fa92a3f3c7e6829998c (the currently most recent commit).

#50 Updated by intrigeri about 1 year ago

segfault wrote:

0bcdc8ad14374f5c4e91807a84ece82a20e684a0:

I don't understand the purpose of the changed line. Can you explain the effect of that line?

This was addressed over IM.

#51 Updated by intrigeri about 1 year ago

segfault wrote:

Same for the change in 6d681cd90343bb4e7ef6e7d49241dbb744063b34.

This was resolved over IM.

#52 Updated by intrigeri about 1 year ago

f255a4ede6ab285287556e39e358110e513132b1:

In the recovery method, what's the purpose of hitting Escape and then waiting for the reload button to vanish? I thought that maybe this should stop loading the page, but then it should be the stop button that vanishes.

Wow, good catch! It seems that I've cargo-culted this code from When /^I open the address "([^"]*)" in the (.*)$/ do |address, browser|, where it was introduced 3 years ago via 26d902fe90d68ab0fa58d4bd46b4c821a48e5277. That code does not make any sense to me so I've fixed it as you're suggesting. I'm running the full test suite on it and we'll see.

#53 Updated by segfault about 1 year ago

852ce14b81c00e6bb1bf0376e2d007c4dfb4e875:

I don't like it that currently the icons of NoScript and HTTPS Everywhere are not shown during the first TB launch (FWIW, the uBlock Origin icon is still shown).

Which problems did you see that made you remove these preferences? I tried readding this single pref; it fixes the hidden icons and I don't see any problems:

user_pref("extensions.torbutton.inserted_button", true);

#54 Updated by intrigeri about 1 year ago

intrigeri wrote:

f255a4ede6ab285287556e39e358110e513132b1:

In the recovery method, what's the purpose of hitting Escape and then waiting for the reload button to vanish? I thought that maybe this should stop loading the page, but then it should be the stop button that vanishes.

Wow, good catch! It seems that I've cargo-culted this code from When /^I open the address "([^"]*)" in the (.*)$/ do |address, browser|, where it was introduced 3 years ago via 26d902fe90d68ab0fa58d4bd46b4c821a48e5277. That code does not make any sense to me so I've fixed it as you're suggesting. I'm running the full test suite on it and we'll see.

The fix seems to work fine: b6a409fe7057da5149df272a529bfa9b463faa0a :)

#55 Updated by intrigeri about 1 year ago

I don't like it that currently the icons of NoScript and HTTPS Everywhere are not shown during the first TB launch (FWIW, the uBlock Origin icon is still shown).

I don't like it either but that's an upstream bug (see bug link in the commit message and I can reproduce this with a pristine Tor Browser). Now, of course Tails users are affected more than others because on every boot of Tails they're in the "first launch" situation.

Which problems did you see that made you remove these preferences?

I don't remember :/
My bad for not writing a better commit message, now I get to spend more time on it…

I tried readding this single pref; it fixes the hidden icons and I don't see any problems:
user_pref("extensions.torbutton.inserted_button", true);

Interesting, I'll take another quick look at it ⇒ I've filed #15777.

#56 Updated by intrigeri about 1 year ago

  • Blocks Bug #11711: "The Unsafe Browser can be used in all languages supported in Tails" test is broken for locales that have a translated homepage added

#57 Updated by segfault about 1 year ago

Reviewed up to commit 7bdea0f2edd43eb1d91e619b53d88b911cffffbb, everything LGTM.

#58 Updated by intrigeri about 1 year ago

  • Related to Bug #15706: Tor Browser 8 always prompts wrt. asking webpages in English added

#59 Updated by intrigeri about 1 year ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)

Merged! Remaining issues that cannot be solved before the 3.9 freeze will be tracked as separate tickets. For now the only one is #15706.

#60 Updated by intrigeri about 1 year ago

  • Blocks deleted (Feature #10267: Test that the search plugins (disconnect.me, WP, and StartPage) are localized)

#61 Updated by u about 1 year ago

  • Related to Feature #15807: Define & apply clear criteria for including dictionaries, fonts and language packs added

#62 Updated by u about 1 year ago

  • Related to deleted (Feature #15807: Define & apply clear criteria for including dictionaries, fonts and language packs)

#63 Updated by intrigeri about 1 year ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF