tbb-commits December 2015

tbb-commits@lists.torproject.org

1 participants
77 discussions

[tor-browser-bundle/master] Using build2 from Mozilla
by gk＠torproject.org 17 Dec '15

17 Dec '15

commit 30c14b7fdd1a0527ca82b80a7cc121f386653ab4 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 17 09:13:08 2015 +0000 Using build2 from Mozilla --- gitian/versions.alpha | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitian/versions.alpha b/gitian/versions.alpha index 2691a1d..d1c9f36 100755 --- a/gitian/versions.alpha +++ b/gitian/versions.alpha @@ -11,7 +11,7 @@ FIREFOX_VERSION=38.5.0esr TORBROWSER_UPDATE_CHANNEL=alpha -TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.5-1-build1 +TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.5-2-build1 TOR_TAG=tor-0.2.7.6 TORLAUNCHER_TAG=0.2.7.7 TORBUTTON_TAG=1.9.4.2 @@ -42,7 +42,7 @@ GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux OPENSSL_VER=1.0.1q GMP_VER=5.1.3 FIREFOX_LANG_VER=$FIREFOX_VERSION -FIREFOX_LANG_BUILD=build1 +FIREFOX_LANG_BUILD=build2 BINUTILS_VER=2.24 GCC_VER=5.1.0 PYTHON_VER=2.7.5

1 0

[tor-browser-bundle/maint-5.0] Update Changelog
by gk＠torproject.org 17 Dec '15

17 Dec '15

commit 807dd4984e76fae17d6f165f8a35408f4ee056b6 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 17 09:00:28 2015 +0000 Update Changelog --- Bundle-Data/Docs/ChangeLog.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Bundle-Data/Docs/ChangeLog.txt b/Bundle-Data/Docs/ChangeLog.txt index 222f31c..9748d1a 100644 --- a/Bundle-Data/Docs/ChangeLog.txt +++ b/Bundle-Data/Docs/ChangeLog.txt @@ -1,3 +1,8 @@ +Tor Browser 5.0.6 -- December 18 2015 + * All Platforms + * Bug 16441: Suppress "Reset Tor Browser" prompt + * Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag + Tor Browser 5.0.5 -- December 15 2015 * All Platforms * Update Firefox to 38.5.0esr

1 0

[tor-browser-bundle/maint-5.0] Preparing 5.0.6
by gk＠torproject.org 17 Dec '15

17 Dec '15

commit 69bbd82c0e846f8e26d50b22b578685faa6029df Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 17 08:54:55 2015 +0000 Preparing 5.0.6 --- gitian/versions | 4 ++-- tools/update-responses/config.yml | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/gitian/versions b/gitian/versions index 8e8cf7f..1633312 100755 --- a/gitian/versions +++ b/gitian/versions @@ -8,7 +8,7 @@ FIREFOX_VERSION=38.5.0esr TORBROWSER_UPDATE_CHANNEL=release -TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.0-1-build2 +TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.0-2-build1 TOR_TAG=tor-0.2.7.6 TORLAUNCHER_TAG=0.2.7.7 TORBUTTON_TAG=1.9.3.7 @@ -38,7 +38,7 @@ GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux OPENSSL_VER=1.0.1q GMP_VER=5.1.3 FIREFOX_LANG_VER=$FIREFOX_VERSION -FIREFOX_LANG_BUILD=build1 +FIREFOX_LANG_BUILD=build2 BINUTILS_VER=2.24 GCC_VER=5.1.0 PYTHON_VER=2.7.5 diff --git a/tools/update-responses/config.yml b/tools/update-responses/config.yml index 3a62062..4be39a9 100644 --- a/tools/update-responses/config.yml +++ b/tools/update-responses/config.yml @@ -10,14 +10,15 @@ build_targets: osx64: Darwin_x86_64-gcc3 channels: alpha: 5.5a1 - release: 5.0.5 + release: 5.0.6 versions: - 5.0.5: + 5.0.6: platformVersion: 38.5.0 detailsURL: https://www.torproject.org/projects/torbrowser.html.en - download_url: https://www.torproject.org/dist/torbrowser/5.0.5 + download_url: https://www.torproject.org/dist/torbrowser/5.0.6 incremental_from: - 5.0.4 + - 5.0.5 migrate_archs: osx32: osx64 osx32:

1 0

[tor-browser-bundle/master] Avoid language prompt on first start in alphas
by gk＠torproject.org 16 Dec '15

16 Dec '15

commit a0e1b93bd6b0c28a36edb71fcc8e71c43b708548 Author: Georg Koppen <gk(a)torproject.org> Date: Wed Dec 16 07:58:27 2015 +0000 Avoid language prompt on first start in alphas --- Bundle-Data/Docs/ChangeLog.txt | 4 ---- gitian/versions.alpha | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/Bundle-Data/Docs/ChangeLog.txt b/Bundle-Data/Docs/ChangeLog.txt index 237fdf9..4812fc4 100644 --- a/Bundle-Data/Docs/ChangeLog.txt +++ b/Bundle-Data/Docs/ChangeLog.txt @@ -13,10 +13,6 @@ Tor Browser 5.5a5 -- December 15 2015 * Bug 17108: Polish about:tor appearance * Bug 17568: Clean up tor-control-port.js * Translation updates - * Update Tor Launcher to 0.2.8.1 - * Bug 17344: Enumerate available language packs for language prompt - * Code clean-up - * Translation updates * Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875) * Bug 15564: Isolate SharedWorkers by first-party domain * Bug 16940: After update, load local change notes diff --git a/gitian/versions.alpha b/gitian/versions.alpha index ae70b91..2691a1d 100755 --- a/gitian/versions.alpha +++ b/gitian/versions.alpha @@ -13,7 +13,7 @@ TORBROWSER_UPDATE_CHANNEL=alpha TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.5-1-build1 TOR_TAG=tor-0.2.7.6 -TORLAUNCHER_TAG=0.2.8.1 +TORLAUNCHER_TAG=0.2.7.7 TORBUTTON_TAG=1.9.4.2 HTTPSE_TAG=5.1.1 NSIS_TAG=v0.3

1 0

[tor-browser-bundle/hardened-builds] Adding libasan.so.2 to the MARTOOLS zip
by gk＠torproject.org 14 Dec '15

14 Dec '15

commit 551a76af35fb7ddfa505415fbfa8a1d60852f291 Author: Georg Koppen <gk(a)torproject.org> Date: Mon Dec 14 14:56:23 2015 +0000 Adding libasan.so.2 to the MARTOOLS zip --- gitian/descriptors/linux/gitian-firefox.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml index 1310237..3c6c1f1 100644 --- a/gitian/descriptors/linux/gitian-firefox.yml +++ b/gitian/descriptors/linux/gitian-firefox.yml @@ -146,6 +146,7 @@ script: | for LIB in $NSS_LIBS $NSPR_LIBS; do cp -p obj-*/dist/bin/$LIB $MARTOOLS/ done + cp -p $INSTDIR/gcc/lib64/libasan.so.2 $MARTOOLS/ cd ~/build ~/build/dzip.sh mar-tools-linux${GBUILD_BITS}.zip mar-tools cp -p mar-tools-linux${GBUILD_BITS}.zip $OUTDIR/

1 0

[tor-browser-bundle/hardened-builds] Changelog update and version bumps
by gk＠torproject.org 14 Dec '15

14 Dec '15

commit 8da5fa2f35ae4ffb3489f748b16cf36d4a73ed95 Author: Georg Koppen <gk(a)torproject.org> Date: Mon Dec 14 08:57:29 2015 +0000 Changelog update and version bumps --- Bundle-Data/Docs/ChangeLog.txt | 1177 +------------------------------------ gitian/versions.alpha | 18 +- tools/update-responses/config.yml | 12 +- 3 files changed, 48 insertions(+), 1159 deletions(-) diff --git a/Bundle-Data/Docs/ChangeLog.txt b/Bundle-Data/Docs/ChangeLog.txt index 2a4af99..8072453 100644 --- a/Bundle-Data/Docs/ChangeLog.txt +++ b/Bundle-Data/Docs/ChangeLog.txt @@ -1,1145 +1,32 @@ -Tor Browser 5.5a4 -- November 3 2015 - * All Platforms - * Update Firefox to 38.4.0esr - * Update Tor to 0.2.7.4-rc - * Update NoScript to 2.6.9.39 - * Update HTTPS-Everywhere to 5.1.1 - * Update Torbutton to 1.9.4.1 - * Bug 9623: Spoof Referer when leaving a .onion domain - * Bug 16620: Remove old window.name handling code - * Bug 17164: Don't show text-select cursor on circuit display - * Bug 17351: Remove unused code - * Translation updates - * Bug 17207: Hide MIME types and plugins from websites - * Bug 16909+17383: Adapt to HTTPS-Everywhere build changes - * Bug 16620: Move window.name handling into a Firefox patch - * Bug 17220: Support math symbols in font whitelist - * Bug 10599+17305: Include updater and build patches needed for hardened builds - * Bug 17318: Remove dead ScrambleSuit bridge - * Bug 17428: Remove default Flashproxy bridges - * Bug 17473: Update meek-amazon fingerprint - * Windows - * Bug 17250: Add localized font names to font whitelist - * OS X - * Bug 17122: Rename Japanese OS X bundle - * Linux - * Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926) - -Tor Browser 5.5a3 -- September 22 2015 - * All Platforms - * Update Firefox to 38.3.0esr - * Update libevent to 2.0.22-stable - * Update Torbutton to 1.9.4 - * Bug 16937: Don't translate the homepage/spellchecker dictionary string - * Bug 16735: about:tor should accommodate different fonts/font sizes - * Bug 16887: Update intl.accept_languages value - * Bug 15493: Update circuit display on new circuit info - * Bug 16797: brandShorterName is missing from brand.properties - * Translation updates - * Bug 10140: Add new Tor Browser locale (Japanese) - * Bug 17102: Don't crash while opening a second Tor Browser - * Bug 16983: Isolate favicon requests caused by the tab list dropdown - * Bug 13512: Load a static tab with change notes after an update - * Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles - * Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains) - * Bug 16837: Disable Firefox Hotfix updates - * Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz) - * Bug 16781: Allow saving pdf files in built-in pdf viewer - * Bug 16842: Restore Media tab on Page information dialog - * Bug 16727: Disable about:healthreport page - * Bug 16783: Normalize NoScript default whitelist - * Bug 16775: Fix preferences dialog with security slider set to "High" - * Bug 13579: Update download progress bar automatically - * Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent - * Bug 17046: Event.timeStamp should not reveal startup time - * Bug 16872: Fix warnings when opening about:downloads - * Bug 17097: Fix intermittent crashes when using the print dialog - * Windows - * Bug 16906: Fix Mingw-w64 compilation/Don't depend on Windows crypto DLLs - * Bug 16707: Allow more system fonts to get used on Windows - * OS X - * Bug 16910: Update copyright year in OS X bundles - * Bug 16707: Allow more system fonts to get used on OS X - * Linux - * Bug 16672: Don't use font whitelisting for Linux users - -Tor Browser 5.0.3 -- September 22 2015 - * All Platforms - * Update Firefox to 38.3.0esr - * Update Torbutton to 1.9.3.4 - * Bug 16887: Update intl.accept_languages value - * Bug 15493: Update circuit display on new circuit info - * Bug 16797: brandShorterName is missing from brand.properties - * Bug 14429: Make sure the automatic resizing is disabled - * Translation updates - * Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains) - * Bug 16837: Disable Firefox Hotfix updates - * Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz) - * Bug 16781: Allow saving pdf files in built-in pdf viewer - * Bug 16842: Restore Media tab on Page information dialog - * Bug 16727: Disable about:healthreport page - * Bug 16783: Normalize NoScript default whitelist - * Bug 16775: Fix preferences dialog with security slider set to "High" - * Bug 13579: Update download progress bar automatically - * Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent - * Bug 17046: Event.timeStamp should not reveal startup time - * Bug 16872: Fix warnings when opening about:downloads - * Bug 17097: Fix intermittent crashes when using the print dialog - * Windows - * Bug 16906: Fix Mingw-w64 compilation breakage - * OS X - * Bug 16910: Update copyright year in OS X bundles - -Tor Browser 5.5a2 -- August 28 2015 - * All Platforms: - * Update Firefox to 38.2.1esr - * Update NoScript to 2.6.9.36 - * Bug 16771: Fix crash on some websites due to blob URIs - * Linux - * Bug 16860: Avoid duplicate desktop icons on Gnome and Unity - -Tor Browser 5.0.2 -- August 27 2015 - * All Platforms - * Update Firefox to 38.2.1esr - * Update NoScript to 2.6.9.36 - * Linux - * Bug 16860: Avoid duplicate icons on Unity and Gnome - -Tor Browser 5.0.1 -- August 18 2015 - * All Platforms - * Bug 16771: Fix crash on some websites due to blob URIs - -Tor Browser 5.5a1 -- August 11 2015 - * All Platforms - * Update Firefox to 38.2.0esr - * Update NoScript to 2.6.9.34 - * Update Torbutton to 1.9.3.3 - * Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click - * Bug 16730: Reset NoScript whitelist on upgrade - * Bug 16722: Prevent "Tiles" feature from being enabled after upgrade - * Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup) - * Bug 14429: Make sure the automatic resizing is enabled - * Translation updates - * Update Tor Launcher to 0.2.7.7 - * Translation updates - * Bug 16730: Prevent NoScript from updating the default whitelist - * Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome() - * Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers - * Bug 16311: Fix navigation timing in ESR 38 - * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup) - * Bug 16672: Change font whitelists and configs for rendering issues (partial) - -Tor Browser 5.0 -- August 11 2015 - * All Platforms - * Update Firefox to 38.2.0esr - * Update OpenSSL to 1.0.1p - * Update HTTPS-Everywhere to 5.0.7 - * Update NoScript to 2.6.9.34 - * Update meek to 0.20 - * Update Tor to 0.2.6.10 with patches: - * Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks. - * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com) - * Bug 15482: Don't allow circuits to change while a site is in use - * Update Torbutton to 1.9.3.2 - * Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click - * Bug 16730: Reset NoScript whitelist on upgrade - * Bug 16722: Prevent "Tiles" feature from being enabled after upgrade - * Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup) - * Bug 16268: Show Tor Browser logo on About page - * Bug 16639: Check for Updates menu item can cause update download failure - * Bug 15781: Remove the sessionstore filter - * Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref - * Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1) - * Bug 16200: Update Cache API usage and prefs for FF38 - * Bug 16357: Use Mozilla API to wipe permissions db - * Bug 14429: Make sure the automatic resizing is disabled - * Translation updates - * Update Tor Launcher to 0.2.7.7 - * Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1) - * Bug 15145: Visually distinguish "proxy" and "bridge" screens. - * Translation updates - * Bug 16730: Prevent NoScript from updating the default whitelist - * Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome() - * Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers - * Bug 16884: Prefer IPv6 when supported by the current Tor exit - * Bug 16488: Remove "Sign in to Sync" from the browser menu - * Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper - * Bug 15703: Isolate mediasource URIs and media streams to first party - * Bug 16429+16416: Isolate blob URIs to first party - * Bug 16632: Turn on the background updater and restart prompting - * Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere - * Bug 16523: Fix in-browser JavaScript debugger - * Bug 16236: Windows updater: avoid writing to the registry - * Bug 16625: Fully disable network connection prediction - * Bug 16495: Fix SVG crash when security level is set to "High" - * Bug 13247: Fix meek profile error after bowser restarts - * Bug 16005: Relax WebGL minimal mode - * Bug 16300: Isolate Broadcast Channels to first party - * Bug 16439: Remove Roku screencasting code - * Bug 16285: Disabling EME bits - * Bug 16206: Enforce certificate pinning - * Bug 15910: Disable Gecko Media Plugins for now - * Bug 13670: Isolate OCSP requests by first party domain - * Bug 16448: Isolate favicon requests by first party - * Bug 7561: Disable FTP request caching - * Bug 6503: Fix single-word URL bar searching - * Bug 15526: ES6 page crashes Tor Browser - * Bug 16254: Disable GeoIP-based search results. - * Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads. - * Bug 13024: Disable DOM Resource Timing API - * Bug 16340: Disable User Timing API - * Bug 14952: Disable HTTP/2 - * Bug 1517: Reduce precision of time for Javascript - * Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation - * Bug 16311: Fix navigation timing in ESR 38 - * Windows - * Bug 16014: Staged update fails if meek is enabled - * Bug 16269: repeated add-on compatibility check after update (meek enabled) - * Mac OS - * Use OSX 10.7 SDK - * Bug 16253: Tor Browser menu on OS X is broken with ESR 38 - * Bug 15773: Enable ICU on OS X - * Build System - * Bug 16351: Upgrade our toolchain to use GCC 5.1 - * Bug 15772 and child tickets: Update build system for Firefox 38 - * Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds - * Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt - -Tor Browser 5.0a4 -- August 3 2015 - * All Platforms - * Update Tor to 0.2.7.2-alpha with patches: - * Bug 15482: Don't allow circuits to change while a site is in use - * Update OpenSSL to 1.0.1p - * Update HTTPS-Everywhere to 5.0.7 - * Update NoScript to 2.6.9.31 - * Update Torbutton to 1.9.3.1 - * Bug 16268: Show Tor Browser logo on About page - * Bug 16639: Check for Updates menu item can cause update download failure - * Bug 15781: Remove the sessionstore filter - * Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref - * Translation updates - * Bug 16884: Prefer IPv6 when supported by the current Tor exit - * Bug 16488: Remove "Sign in to Sync" from the browser menu - * Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting - * Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper - * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup) - * Bug 15703: Isolate mediasource URIs and media streams to first party - * Bug 16429+16416: Isolate blob URIs to first party - * Bug 16632: Turn on the background updater and restart prompting - * Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere - * Bug 16523: Fix in-browser JavaScript debugger - * Bug 16236: Windows updater: avoid writing to the registry - * Bug 16005: Restrict WebGL minimal mode a bit (fixup) - * Bug 16625: Fully disable network connection prediction - * Bug 16495: Fix SVG crash when security level is set to "High" - * Build System - * Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt - -Tor Browser 5.0a3 -- June 30 2015 - * All Platforms - * Update Firefox to 38.1.0esr - * Update OpenSSL to 1.0.1o - * Update NoScript to 2.6.9.27 - * Update meek to 0.20 - * Tor patch backport - * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com) - * Update Torbutton to 1.9.3.0 - * Bug 16403: Set search parameters for Disconnect - * Bug 14429: Make sure the automatic resizing is disabled - * Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1) - * Bug 16200: Update Cache API usage and prefs for FF38 - * Bug 16357: Use Mozilla API to wipe permissions db - * Translation updates - * Update Tor Launcher to 0.2.7.6 - * Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1) - * Bug 15145: Visually distinguish "proxy" and "bridge" screens. - * Translation updates - * Bug 13247: Fix meek profile error after bowser restarts - * Bug 16397: Fix crash related to disabling SVG - * Bug 16403: Set search parameters for Disconnect - * Bug 16446: Update FTE bridge #1 fingerprint - * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent - * Bug 16005: Relax WebGL minimal mode - * Bug 16300: Isolate Broadcast Channels to first party - * Bug 16439: Remove Roku screencasting code - * Bug 16285: Disabling EME bits - * Bug 16206: Enforce certificate pinning - * Bug 15910: Disable GMPs for now - * Bug 13670: Isolate OCSP requests by first party domain - * Bug 16448: Isolate favicon requests by first party - * Bug 7561: Disable FTP request caching - * Bug 6503: Fix single-word URL bar searching - * Bug 15526: ES6 page crashes Tor Browser - * Bug 16254: Disable GeoIP-based search results. - * Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads. - * Bug 13024: Disable DOM Resource Timing API - * Bug 16340: Disable User Timing API - * Bug 14952: Disable HTTP/2 - * Mac OS - * Use OSX 10.7 SDK - * Bug 16253: Tor Browser menu on OS X is broken with ESR 38 - * Build System - * Bug 16351: Upgrade our toolchain to use GCC 5.1 - * Bug 15772 and child tickets: Update build system for Firefox 38 - -Tor Browser 4.5.3 -- June 30 2015 - * All Platforms - * Update Firefox to 31.8.0esr - * Update OpenSSL to 1.0.1o - * Update NoScript to 2.6.9.27 - * Update Torbutton to 1.9.2.8 - * Bug 16403: Set search parameters for Disconnect - * Bug 14429: Make sure the automatic resizing is disabled - * Translation updates - * Bug 16397: Fix crash related to disabling SVG - * Bug 16403: Set search parameters for Disconnect - * Bug 16446: Update FTE bridge #1 fingerprint - * Tor patch backport - * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com) - -Tor Browser 5.0a2 -- June 15 2015 - * All Platforms - * Update Tor to 0.2.7.1-alpha - * Update HTTPS-Everywhere to 5.0.5 - * Update OpenSSL to 1.0.1n - * Update NoScript to 2.6.9.26 - * Update meek to 0.19 - * Update Torbutton to 1.9.2.7 - * Bug 15984: Disabling Torbutton breaks the Add-ons Manager - * Bug 14429: Make sure the automatic resizing is enabled - * Translation updates - * Bug 16130: Defend against logjam attack - * Bug 15984: Disabling Torbutton breaks the Add-ons Manager - * Windows - * Bug 16014: Staged update fails if meek is enabled - * Bug 16269: repeated add-on compatibility check after update (meek enabled) - * Linux - * Bug 16026: Fix crash in GStreamer - * Bug 16083: Update comment in start-tor-browser - -Tor Browser 4.5.2 -- June 15 2015 - * All Platforms - * Update Tor to 0.2.6.9 - * Update HTTPS-Everywhere to 5.0.5 - * Update OpenSSL to 1.0.1n - * Update NoScript to 2.6.9.26 - * Update Torbutton to 1.9.2.6 - * Bug 15984: Disabling Torbutton breaks the Add-ons Manager - * Bug 14429: Make sure the automatic resizing is disabled - * Translation updates - * Bug 16130: Defend against logjam attack - * Bug 15984: Disabling Torbutton breaks the Add-ons Manager - * Linux - * Bug 16026: Fix crash in GStreamer - * Bug 16083: Update comment in start-tor-browser - -Tor Browser 5.0a1 -- May 14 2015 - * All Platforms - * Update Firefox to 31.7.0esr - * Update meek to 0.18 - * Update Tor Launcher to 0.2.7.5 - * Translation updates only - * Update Torbutton to 1.9.2.5 - * Bug 15837: Show descriptions if unchecking custom mode - * Bug 15927: Force update of the NoScript UI when changing security level - * Bug 15915: Hide circuit display if it is disabled. - * Bug 14429: Improved automatic window resizing - * Translation updates - * Bug 15945: Disable NoScript's ClearClick protection for now - * Bug 15933: Isolate by base (top-level) domain name instead of FQDN - * Bug 15857: Fix file descriptor leak in updater that caused update failures - * Bug 15899: Fix errors with downloading and displaying PDFs - * Bug 15773: Enable ICU on OS X - * Bug 1517: Reduce precision of time for Javascript - * Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation - * Bug 13875: Improve the spoofing of window.devicePixelRatio - * Windows - * Bug 15872: Fix meek pluggable transport startup issue with Windows 7 - * Build System - * Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var - * Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds - -Tor Browser 4.5.1 -- May 12 2015 - * All Platforms - * Update Firefox to 31.7.0esr - * Update meek to 0.18 - * Update Tor Launcher to 0.2.7.5 - * Translation updates only - * Update Torbutton to 1.9.2.3 - * Bug 15837: Show descriptions if unchecking custom mode - * Bug 15927: Force update of the NoScript UI when changing security level - * Bug 15915: Hide circuit display if it is disabled. - * Translation updates - * Bug 15945: Disable NoScript's ClearClick protection for now - * Bug 15933: Isolate by base (top-level) domain name instead of FQDN - * Bug 15857: Fix file descriptor leak in updater that caused update failures - * Bug 15899: Fix errors with downloading and displaying PDFs - * Windows - * Bug 15872: Fix meek pluggable transport startup issue with Windows 7 - * Build System - * Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var - * Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds - -Tor Browser 4.5 -- Apr 28 2015 - * All Platforms - * Update Tor to 0.2.6.7 with additional patches: - * Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used - * Update NoScript to 2.6.9.22 - * Update HTTPS-Everywhere to 5.0.3 - * Bug 15689: Resume building HTTPS-Everywhere from git tags - * Update meek to 0.17 - * Update obfs4proxy to 0.0.5 - * Update Tor Launcher to 0.2.7.4 - * Bug 15704: Do not enable network if wizard is opened - * Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked - * Bug 13576: Don't strip "bridge" from the middle of bridge lines - * Bug 15657: Display the host:port of any connection faiures in bootstrap - * Update Torbutton to 1.9.2.2 - * Bug 15562: Bind SharedWorkers to thirdparty pref - * Bug 15533: Restore default security level when restoring defaults - * Bug 15510: Close Tor Circuit UI control port connections on New Identity - * Bug 15472: Make node text black in circuit status UI - * Bug 15502: Wipe blob URIs on New Identity - * Bug 15795: Some security slider prefs do not trigger custom checkbox - * Bug 14429: Disable automatic window resizing for now - * Bug 4100: Raise HTTP Keep-Alive back to 115 second default - * Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting - * Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism - * Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display - * Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access - * Bug 15794: Crash on some pages with SVG images if SVG is disabled - * Bug 15562: Disable Javascript SharedWorkers due to third party tracking - * Bug 15757: Disable Mozilla video statistics API extensions - * Bug 15758: Disable Device Sensor APIs - * Linux - * Bug 15747: Improve start-tor-browser argument handling - * Bug 15672: Provide desktop app registration+unregistration for Linux - * Windows - * Bug 15539: Make installer exe signatures reproducibly removable - * Bug 10761: Fix instances of shutdown crashes - -Tor Browser 4.5a5 -- Mar 31 2015 - * All Platforms - * Update Firefox to 31.6.0esr - * Update OpenSSL to 1.0.1m - * Update Tor to 0.2.6.6 - * Update NoScript to 2.6.9.19 - * Update HTTPS-Everywhere to 5.0 - * Update meek to 0.16 - * Update Tor Launcher to 0.2.7.3 - * Bug 13983: Directory search path fix for Tor Messanger+TorBirdy - * Update Torbutton to 1.9.1.0 - * Bug 9387: "Security Slider 1.0" - * Include descriptions and tooltip hints for security levels - * Notify users that the security slider exists - * Flip slider so that "low" is on the bottom - * Make use of new SVG and MathML prefs - * Bug 13766: Set a 10 minute circuit lifespan for non-content requests - * Bug 15460: Ensure FTP urls use content-window circuit isolation - * Bug 13650: Clip initial window height to 1000px - * Bug 14429: Ensure windows can only be resized to 200x100px multiples - * Bug 15334: Display Cookie Protections menu if disk records are enabled - * Bug 14324: Show HS circuit in Tor circuit display - * Bug 15086: Handle RTL text in Tor circuit display - * Bug 15085: Fix about:tor RTL text alignment problems - * Bug 10216: Add a pref to disable the local tor control port test - * Bug 14937: Show meek and flashproxy bridges in tor circuit display - * Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges - * Bug 13019: Change locale hiding pref to boolean - * Bug 7255: Warn users about maximizing windows - * Bug 14631: Improve profile access error msgs (strings). - * Pluggable Transport Dependency Updates: - * Bug 15448: Use golang 1.4.2 for meek and obs4proxy - * Bug 15265: Switch go.net repo to golang.org/x/net - * Bug 14937: Hard-code meek and flashproxy node fingerprints - * Bug 13019: Prevent Javascript from leaking system locale - * Bug 10280: Improved fix to prevent loading plugins into address space - * Bug 15406: Only include addons in incremental updates if they actually update - * Bug 15029: Don't prompt to include missing plugins - * Bug 12827: Create preference to disable SVG images (for security slider) - * Bug 13548: Create preference to disable MathML (for security slider) - * Bug 14631: Improve startup error messages for filesystem permissions issues - * Bug 15482: Don't allow circuits to change while a site is in use - * Linux - * Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper - * Bug 12468: Only print/write log messages if launched with --debug - * Windows - * Bug 3861: Begin signing Tor Browser for Windows the Windows way - * Bug 15201: Disable 'runas Administrator' codepaths in updater - * Bug 14688: Create shortcuts to desktop and start menu by default (optional) - -Tor Browser 4.0.6 -- Mar 31 2015 - * All Platforms - * Update Firefox to 31.6.0esr - * Update meek to 0.16 - * Update OpenSSL to 1.0.1m - -Tor Browser 4.0.5 -- Mar 23 2015 - * All Platforms - * Update Firefox to 31.5.3esr - * Update Tor to 0.2.5.11 - * Update NoScript to 2.6.9.19 - -Tor Browser 4.5a4 -- Feb 24 2015 - * All Platforms - * Update Firefox to 31.5.0esr - * Update Tor to 0.2.6.3-alpha - * Update OpenSSL to 1.0.1l - * Update NoScript to 2.6.9.15 - * Update obfs4proxy to 0.0.4 - * Use obfs4proxy for ScrambleSuit bridges - * Update Torbutton to 1.9.0.0 - * Bug 13882: Fix display of bridges after bridge settings have been changed - * Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog - * Bug 10280: Strings and pref for preventing plugin initialization. - * Bug 14866: Show correct circuit when more than one exists for a given domain - * Bug 9442: Add New Circuit button to Torbutton menu - * Bug 9906: Warn users before closing all windows and performing new identity. - * Bug 8400: Prompt for restart if disk records are enabled/disabled. - * Bug 14630: Hide Torbutton's proxy settings tab. - * Bug 14632: Disable Cookie Manager until we get it working. - * Bug 11175: Remove "About Torbutton" from onion menu. - * Bug 13900: Remove remaining SafeCache code in favor of C++ patch - * Bug 14490: Use Disconnect search in about:tor search box - * Bug 14392: Don't steal input focus in about:tor search box - * Bug 11236: Don't set omnibox order in Torbutton (to prevent translation) - * Bug 13406: Stop directing users to download-easy.html.en on update - * Bug 9387: Handle "custom" mode better in Security Slider - * Bug 12430: Bind jar: pref to Security Slider - * Bug 14448: Restore Torbutton menu operation on non-English localizations - * Translation updates - * Update Tor Launcher to 0.2.7.2 - * Bug 13271: Display Bridge Configuration wizard pane before Proxy pane - * Bug 14336: Fix navigation button display issues on some wizard panes - * Translation updates - * Bug 14203: Prevent meek from displaying an extra update notification - * Bug 14849: Remove new NoScript menu option to make permissions permanent - * Bug 14851: Set NoScript pref to disable permanent permissions - * Bug 14490: Make Disconnect the default omnibox search engine - * Bug 11236: Fix omnibox order for non-English builds - * Also remove Amazon, eBay and bing; add Youtube and Twitter - * Bug 10280: Don't load any plugins into the address space. - * Bug 14392: Make about:tor hide itself from the URL bar - * Bug 12430: Provide a preference to disable remote jar: urls - * Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch - * Bug 5698: Fix branding in "About Torbrowser" window - * Windows: - * Bug 13169: Don't use /dev/random on Windows for SSP - * Linux: - * Bug 13717: Make sure we use the bash shell on Linux - -Tor Browser 4.0.4 -- Feb 24 2015 - * All Platforms - * Update Firefox to 31.5.0esr - * Update OpenSSL to 1.0.1l - * Update NoScript to 2.6.9.15 - * Update HTTPS-Everywhere to 4.0.3 - * Bug 14203: Prevent meek from displaying an extra update notification - * Bug 14849: Remove new NoScript menu option to make permissions permanent - * Bug 14851: Set NoScript pref to disable permanent permissions - -Tor Browser 4.5a3 -- Jan 19 2015 - * All Platforms - * Update Firefox to 31.4.0esr - * Update Tor to 0.2.6.2-alpha - * Update NoScript to 2.6.9.10 - * Update HTTPS Everywhere to 5.0development.2 - * Update meek to 0.15 - * Update Torbutton to 1.8.1.3 - * Bug 13998: Handle changes in NoScript 2.6.9.8+ - * Bug 14100: Option to hide NetworkSettings menuitem - * Bug 13079: Option to skip control port verification - * Bug 13835: Option to change default Tor Browser homepage - * Bug 11449: Fix new identity error if NoScript is not enabled - * Bug 13881: Localize strings for tor circuit display - * Bug 9387: Incorporate user feedback - * Bug 13671: Fixup for circuit display if bridges are used - * Translation updates - * Update Tor Launcher to 0.2.7.1 - * Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set - * Translation updates - * Bug 13379: Sign our MAR files - * Bug 13788: Fix broken meek in 4.5-alpha series - * Bug 13439: No canvas prompt for content callers - -Tor Browser 4.0.3 -- Jan 13 2015 - * All Platforms - * Update Firefox to 31.4.0esr - * Update NoScript to 2.6.9.10 - * Update meek to 0.15 - * Update Tor Launcher to 0.2.7.0.2 - * Translation updates only - -Tor Browser 4.5-alpha-2 -- Dec 5 2014 - * All Platforms - * Update Firefox to 31.3.0esr - * Update NoScript to 2.6.9.5 - * Update HTTPS Everywhere to 5.0development.1 - * Update Torbutton to 1.8.1.2 - * Bug 13672: Make circuit display optional - * Bug 13671: Make bridges visible on circuit display - * Bug 9387: Incorporate user feedback - * Bug 13784: Remove third party authentication tokens - * Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in ESR 31.3.0) - -Tor Browser 4.0.2 -- Dec 2 2014 - * All Platforms - * Update Firefox to 31.3.0esr - * Update NoScript to 2.6.9.5 - * Update HTTPS Everywhere to 4.0.2 - * Update Torbutton to 1.7.0.2 - * Bug 13019: Synchronize locale spoofing pref with our Firefox patch - * Bug 13746: Properly link Torbutton UI to thirdparty pref. - * Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode - * Bug 5926: Prevent JS engine locale leaks (by setting the C library locale) - * Bug 13504: Remove unreliable/unreachable non-public bridges - * Bug 13435: Remove our custom POODLE fix - * Windows - * Bug 13443: Re-enable DirectShow; fix crash with mingw patch. - * Bug 13558: Fix crash on Windows XP during download folder changing - * Bug 13594: Fix update failure for Windows XP users - -Tor Browser 4.5-alpha-1 -- Nov 14 2014 - * All Platforms - * Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation - * Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32 - * Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33) - * Bug 13019: Make JS engine use English locale if a pref is set by Torbutton - * Bug 13301: Prevent extensions incompatibility error after upgrades - * Bug 13460: Fix MSVC compilation issue - * Bug 13504: Remove stale bridges from default bridge set - * Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode - * Update Tor to 0.2.6.1-alpha - * Update NoScript to 2.6.9.3 - * Update Torbutton to 1.8.1.1 - * Bug 9387: Provide a "Security Slider" for vulnerability surface reduction - * Bug 13019: Synchronize locale spoofing pref with our Firefox patch - * Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain - * Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs - * Bug 13651: Prevent circuit-status related UI hang. - * Bug 13666: Various circuit status UI fixes - * Bugs 13742+13751: Remove cache isolation code in favor of direct C++ patch - * Bug 13746: Properly update third party isolation pref if disabled from UI - * Bug 13586: Make meek use TLS session tickets (to look like stock Firefox). - * Bug 12903: Include obfs4proxy pluggable transport - * Windows - * Bug 13443: Re-enable DirectShow; fix crash with mingw patch. - * Bug 13558: Fix crash on Windows XP during download folder changing - * Bug 13091: Make app name "Tor Browser" instead of "Tor" - * Bug 13594: Fix update failure for Windows XP users - * Mac - * Bug 10138: Switch to 64bit builds for MacOS - -Tor Browser 4.0.1 -- Oct 30 2014 - * All Platforms - * Update Tor to 0.2.5.10 - * Update NoScript to 2.6.9.3 - * Bug 13301: Prevent extensions incompatibility error after upgrades - * Bug 13460: Fix MSVC compilation issue - * Windows - * Bug 13443: Disable DirectShow to prevent crashes on many sites - * Bug 13091: Make app name "Tor Browser" instead of "Tor" - -Tor Browser 4.0 -- Oct 15 2014 - * All Platforms - * Update Firefox to 31.2.0esr - * Update Torbutton to 1.7.0.1 - * Bug 13378: Prevent addon reordering in toolbars on first-run. - * Bug 10751: Adapt Torbutton to ESR31's Australis UI. - * Bug 13138: ESR31-about:tor shows "Tor is not working" - * Bug 12947: Adapt session storage blocker to ESR 31. - * Bug 10716: Take care of drag/drop events in ESR 31. - * Bug 13366: Fix cert exemption dialog when disk storage is enabled. - * Update Tor Launcher to 0.2.7.0.1 - * Translation updates only - * Udate fteproxy to 0.2.19 - * Update NoScript to 2.6.9.1 - * Bug 13416: Defend against new SSLv3 attack (poodle). - * Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads - * Bug 13016: Hide CSS -moz-osx-font-smoothing values. - * Bug 13356: Meek and other symlinks missing after complete update. - * Bug 13025: Spoof screen orientation to landscape-primary. - * Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping. - * Bug 13318: Minimize number of buttons on the browser toolbar. - * Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript) - * Bug 13023: Disable the gamepad API. - * Bug 13021: Prompt before allowing Canvas isPointIn*() calls. - * Bug 12460: Several cross-compilation and gitian fixes (see child tickets) - * Bug 13186: Disable DOM Performance timers - * Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage - -Tor Browser 4.0-alpha-3 -- Sep 24 2014 - * All Platforms - * Update Tor to 0.2.5.8-rc - * Update Firefox to 24.8.1esr - * Update meek to 0.11 - * Update NoScript to 2.6.8.42 - * Update Torbutton to 1.6.12.3 - * Bug 13091: Use "Tor Browser" everywhere - * Bug 10804: Workaround fix for some cases of startup hang - * Bug 13091: Use "Tor Browser" everywhere - * Bug 13049: Browser update failure (self.update is undefined) - * Bug 13047: Updater should not send Kernel and GTK version - * Bug 12998: Prevent intermediate certs from being written to disk - * Bug 13245: Prevent non-english TBBs from upgrading to english version. - * Linux: - * Bug 9150: Make RPATH unavailable on Tor binary. - * Bug 13031: Add full RELRO protection. - -Tor Browser Bundle 3.6.6 -- Sep 24 2014 - * All Platforms - * Update Tor to tor-0.2.4.24 - * Update Firefox to 24.8.1esr - * Update NoScript to 2.6.8.42 - * Update HTTPS Everywhere to 4.0.1 - * Bug 12998: Prevent intermediate certs from being written to disk - * Update Torbutton to 1.6.12.3 - * Bug 13091: Use "Tor Browser" everywhere - * Bug 10804: Workaround fix for some cases of startup hang - * Linux - * Bug 9150: Make RPATH unavailable on Tor binary. - -Tor Browser Bundle 4.0-alpha-2 -- Sep 2 2014 - * All Platforms - * Update Firefox to 24.8.0esr - * Update NoScript to 2.6.8.39 - * Update Tor Launcher to 0.2.7.0 - * Bug 11405: Remove firewall prompt from wizard. - * Bug 12895: Mention @riseup.net as a valid bridge request email address - * Bug 12444: Provide feedback when “Copy Tor Log” is clicked. - * Bug 11199: Improve error messages if Tor exits unexpectedly - * Update Torbutton to 1.6.12.1 - * Bug 12684: New strings for canvas image extraction message - * Bug 8940: Move RecommendedTBBVersions file to www.torproject.org - * Bug 12684: Improve Canvas image extraction permissions prompt - * Bug 7265: Only prompt for first party canvas access. Log all scripts - that attempt to extract canvas images to Browser console. - * Bug 12974: Disable NTLM and Negotiate HTTP Auth - * Bug 2874: Remove Components.* from content access (regression) - * Bug 4234: Automatic Update support (off by default) - * Bug 9881: Open popups in new tabs by default - * Meek Pluggable Transport: - * Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24 - * Windows: - * Bug 10065: Enable DEP, ASLR, and SSP hardening options - * Linux: - * Bug 12103: Adding RELRO hardening back to browser binaries. - -Tor Browser Bundle 3.6.5 -- Sep 2 2014 - * All Platforms - * Update Firefox to 24.8.0esr - * Update NoScript to 2.6.8.39 - * Update HTTPS Everywhere to 4.0.0 - * Update Torbutton to 1.6.12.1 - * Bug 12684: New strings for canvas image extraction message - * Bug 8940: Move RecommendedTBBVersions file to www.torproject.org - * Bug 9531: Workaround to avoid rare hangs during New Identity - * Bug 12684: Improve Canvas image extraction permissions prompt - * Bug 7265: Only prompt for first party canvas access. Log all scripts - that attempt to extract canvas images to Browser console. - * Bug 12974: Disable NTLM and Negotiate HTTP Auth - * Bug 2874: Remove Components.* from content access (regression) - * Bug 9881: Open popups in new tabs by default - * Linux: - * Bug 12103: Adding RELRO hardening back to browser binaries. - -Tor Browser Bundle 4.0-alpha-1 -- Aug 8 2014 - * All Platforms - * Ticket 10935: Include the Meek Pluggable Transport (version 0.10) - * Two modes of Meek are provided: Meek over Google and Meek over Amazon - * Update Firefox to 24.7.0esr - * Update Tor to 0.2.5.6-alpha - * Update OpenSSL to 1.0.1i - * Update NoScript to 2.6.8.36 - * Script permissions now apply based on URL bar - * Update HTTPS Everywhere to 5.0development.0 - * Update Torbutton to 1.6.12.0 - * Bug 12221: Remove obsolete Javascript components from the toggle era - * Bug 10819: Bind new third party isolation pref to Torbutton security UI - * Bug 9268: Fix some window resizing corner cases with DPI and taskbar size. - * Bug 12680: Change Torbutton URL in about dialog. - * Bug 11472: Adjust about:tor font and logo positioning to avoid overlap - * Bug 9531: Workaround to avoid rare hangs during New Identity - * Update Tor Launcher to 0.2.6.2 - * Bug 11199: Improve behavior if tor exits - * Bug 12451: Add option to hide TBB's logo - * Bug 11193: Change "Tor Browser Bundle" to "Tor Browser" - * Bug 11471: Ensure text fits the initial configuration dialog - * Bug 9516: Send Tor Launcher log messages to Browser Console - * Bug 11641: Reorganize bundle directory structure to mimic Firefox - * Bug 10819: Create a preference to enable/disable third party isolation - * Backported Tor Patches: - * Bug 11200: Fix a hang during bootstrap introduced in the initial - bug11200 patch. - * Linux: - * Bug 10178: Make it easier to set an alternate Tor control port and password - * Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation - * Bug 12249: Don't create PT debug files anymore - -Tor Browser Bundle 3.6.4 -- Aug 8 2014 - * All Platforms - * Update Tor to 0.2.4.23 - * Update Tor launcher to 0.2.5.6 - * Bug 9516: Show Tor log in TorBrowser's Browser Console - * Update OpenSSL to 1.0.1i - * Backported Tor Patches: - * Bug 11654: Properly apply the fix for malformed bug11156 log message - * Bug 11200: Fix a hang during bootstrap introduced in the initial - bug11200 patch. - * Update NoScript to 2.6.8.36 - * Update Torbutton to 1.6.11.1 - * Bug 11472: Adjust about:tor font and logo positioning to avoid overlap - * Bug 12680: Fix Torbutton about url. - -Tor Browser Bundle 3.6.3 -- Jul 24 2014 - * All Platforms - * Update Firefox to 24.7.0esr - * Update obfsproxy to 0.2.12 - * Update FTE to 0.2.17 - * Update NoScript to 2.6.8.33 - * Update HTTPS Everywhere to 3.5.3 - * Bug 12673: Update FTE bridges - * Update Torbutton to 1.6.11.0 - * Bug 12221: Remove obsolete Javascript components from the toggle era - * Bug 10819: Bind new third party isolation pref to Torbutton security UI - * Bug 9268: Fix some window resizing corner cases with DPI and taskbar size. - * Linux: - * Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation - * Bug 12249: Don't create PT debug files anymore - -Tor Browser Bundle 3.6.2 -- Jun 9 2014 - * All Platforms - * Update Firefox to 24.6.0esr - * Update OpenSSL to 1.0.1h - * Update NoScript to 2.6.8.28 - * Update Tor to 0.2.4.22 - * Update Tor Launcher to 0.2.5.5 - * Bug 10425: Provide geoip6 file location to Tor process - * Bug 11754: Remove untranslated locales that were dropped from Transifex - * Bug 11772: Set Proxy Type menu correctly after restart - * Bug 11699: Change &#160 to   in UI elements - * Update Torbutton to 1.6.10.0 - * Bug 11510: about:tor should not report success if tor proxy is unreachable - * Bug 11783: Avoid b.webProgress error when double-clicking on New Identity - * Bug 11722: Add hidden pref to force remote Tor check - * Bug 11763: Fix pref dialog double-click race that caused settings to be reset - * Bug 11629: Support proxies with Pluggable Transports - * Updates FTEProxy to 0.2.15 - * Updates obfsproxy to 0.2.9 - * Backported Tor Patches: - * Bug 11654: Fix malformed log message in bug11156 patch. - * Bug 10425: Add in Tor's geoip6 files to the bundle distribution - * Bugs 11834 and 11835: Include Pluggable Transport documentation - * Bug 9701: Prevent ClipBoardCache from writing to disk. - * Bug 12146: Make the CONNECT Host header the same as the Request-URI. - * Bug 12212: Disable deprecated webaudio API - * Bug 11253: Turn on TLS 1.1 and 1.2. - * Bug 11817: Don't send startup time information to Mozilla. - -Tor Browser Bundle 3.6.1 -- May 6 2014 - * All Platforms - * Update HTTPS-Everywhere to 3.5.1 - * Update NoScript to 2.6.8.22 - * Bug 11658: Fix proxy configuration for non-Pluggable Transports users - * Backport Pending Tor Patches: - * Bug 8402: Allow Tor proxy configuration while PTs are present - * Note: The Pluggable Transports themselves have not been updated to - support proxy configuration yet. - -Tor Browser Bundle 3.6 -- Apr 29 2014 - * All Platforms - * Update Firefox to 24.5.0esr - * Update Tor Launcher to 0.2.5.4 - * Bug #11482: Hide bridge settings prompt if no default bridges. - * Bug #11484: Show help button even if no default bridges. - * Update Torbutton to 1.6.9.0 - * Bug 7439: Improve download warning dialog text. - * Bug 11384: Completely remove hidden toggle menu item. - * Update NoScript to 2.6.8.20 - * Update fte transport to 0.2.13 - * Backport Pending Tor Patches: - * Bug 11156: Additional obfsproxy startup error message fixes - * Bug 11586: Include license files for component software in Docs directory. - * Windows and Mac: - * Bug 9308: Prevent install path from leaking in some JS exceptions - on Mac and Windows builds - -Tor Browser Bundle 3.6-beta-2 -- Apr 8 2014 - * All Platforms - * Update OpenSSL to 1.0.1g - * Bug 9010: Add Turkish language support. - * Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion. - * Update fte transport to 0.2.12 - * Update NoScript to 2.6.8.19 - * Update Torbutton to 1.6.8.1 - * Bug 11242: Fix improper "update needed" message after in-place upgrade. - * Bug 10398: Ease translation of about:tor page elements - * Update Tor Launcher to 0.2.5.3 - * Bug 9665: Localize Tor's unreachable bridges bootstrap error - * Backport Pending Tor Patches: - * Bug 9665: Report a bootstrap error if all bridges are unreachable - * Bug 11200: Prevent spurious error message prior to enabling network. - * Linux: - * Bug 11190: Switch linux PT build process to python2 - * Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds. - * Windows: - * Bug 11286: Fix fte transport launch error - -Tor Browser Bundle 3.5.4 -- Apr 7 2014 - * All Platforms - * Update OpenSSL to 1.0.1g - -Tor Browser Bundle 3.5.3 -- Mar 19 2014 - * All Platforms - * Update Firefox to 24.4.0esr - * Update Torbutton to 1.6.7.0: - * Bug 9901: Fix browser freeze due to content type sniffing - * Bug 10611: Add Swedish (sv) to extra locales to update - * Update NoScript to 2.6.8.17 - * Update Tor to 0.2.4.21 - * Bug 10237: Disable the media cache to prevent disk leaks for videos - * Bug 10703: Force the default charset to avoid locale fingerprinting - * Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders) - * Linux: - * Bug 9353: Fix keyboard input on Ubuntu 13.10 - * Bug 9896: Provide debug symbols for Tor Browser binary - * Bug 10472: Pass arguments to the browser from Linux startup script - -Tor Browser Bundle 3.6-beta-1 -- Mar 17 2014 - * All Platforms - * Update Firefox to 24.4.0esr - * Include Pluggable Transports by default: - * Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.6 are now included - * Update Tor Launcher to 0.2.5.1 - * Bug 10418: Provide UI configuration for Pluggable Transports - * Bug 10604: Allow Tor status & error messages to be translated - * Bug 10894: Make bridge UI clear that helpdesk is a last resort for - bridges - * Bug 10610: Clarify wizard UI text describing obstacles/blocking - * Bug 11074: Support Tails use case (XULRunner and optional - customizations) - * Update Torbutton to 1.6.7.0: - * Bug 9901: Fix browser freeze due to content type sniffing - * Bug 10611: Add Swedish (sv) to extra locales to update - * Update NoScript to 2.6.8.17 - * Update Tor to 0.2.4.21 - * Backport Pending Tor Patches: - * Bug 5018: Don't launch Pluggable Transport helpers if not in use - * Bug 9229: Eliminate 60 second stall during bootstrap with some PTs - * Bug 11069: Detect and report Pluggable Transport bootstrap failures - * Bug 11156: Prevent spurious warning about missing pluggable transports - * Bug 10237: Disable the media cache to prevent disk leaks for videos - * Bug 10703: Force the default charset to avoid locale fingerprinting - * Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders) - * Mac: - * Bug 4261: Use DMG instead of ZIP for Mac packages - * Linux: - * Bug 9353: Fix keyboard input on Ubuntu 13.10 - * Bug 9896: Provide debug symbols for Tor Browser binary - * Bug 10472: Pass arguments to the browser from Linux startup script - -Tor Browser Bundle 3.5.2.1 -- Feb 14 2014 - * All Platforms - * Bug 10895: Fix broken localized bundles - * Windows: - * Bug 10323: Remove unneeded gcc/libstdc++ libraries from dist - -Tor Browser Bundle 3.5.2 -- Feb 8 2014 - * All Platforms - * Rebase Tor Browser to Firefox 24.3.0ESR - * Bug 10419: Block content window connections to localhost - * Update Torbutton to 1.6.6.0 - * Bug 10800: Prevent findbox exception and popup in New Identity - * Bug 10640: Fix about:tor's update pointer position for RTL languages. - * Bug 10095: Fix some cases where resolution is not a multiple of 200x100 - * Bug 10374: Clear site permissions on New Identity - * Bug 9738: Fix for auto-maximizing on browser start - * Bug 10682: Workaround to really disable updates for Torbutton - * Bug 10419: Don't allow connections to localhost if Torbutton is toggled - * Bug 10140: Move Japanese to extra locales (not part of TBB dist) - * Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist) - * Update Tor Launcher to 0.2.4.4 - * Bug 10682: Workaround to really disable updates for Tor Launcher - * Update NoScript to 2.6.8.13 - -Tor Browser Bundle 3.5.1 -- Jan 22 2014 - * All Platforms - * Bug 10447: Remove SocksListenAddress to allow multiple socks ports. - * Bug 10464: Remove addons.mozilla.org from NoScript whitelist - * Bug 10537: Build an Arabic version of TBB 3.5 - * Update Torbutton to 1.6.5.5 - * Bug 9486: Clear NoScript Temporary Permissions on New Identity - * Include Arabic translations - * Update Tor Launcher to 0.2.4.3 - * Include Arabic translations - * Update Tor to 0.2.4.20 - * Update OpenSSL to 1.0.1f - * Update NoScript to 2.6.8.12 - * Update HTTPS-Everywhere to 3.4.5 - * Windows - * Bug 9259: Enable Accessibility (screen reader) support - * Mac - * misc: Update bundle version field in Info.plist (for MacUpdates service) - -Tor Browser Bundle 3.5 -- Dec 17 2013 - * All Platforms - * Update Tor to 0.2.4.19 - * Update Tor Launcher to 0.2.4.2 - * Bug 10382: Fix a Tor Launcher hang on TBB exit - * Update Torbutton to 1.6.5.2 - * Misc: Switch update download URL back to download-easy - -Tor Browser Bundle 3.5rc1 -- Dec 12 2013 - * All Platforms - * Update Firefox to 24.2.0esr - * Update NoScript to 2.6.8.7 - * Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag) - * Tag includes a patch to handle enabling/disabling Mixed Content Blocking - * Bug 5060: Disable health report service - * Bug 10367: Disable prompting about health report and Mozilla Sync - * Misc Prefs: Disable HTTPS-Everywhere first-run tooltips - * Misc Prefs: Disable layer acceleration to avoid crashes on Windows - * Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890 - * Update Tor Launcher to 0.2.4.1 - * Bug 10147: Adblock Plus interferes w/Tor Launcher dialog - * Bug 10201: FF ESR 24 hangs during exit on Mac OS - * Bug 9984: Support running Tor Launcher from InstantBird - * Misc: Support browser directory location API changes in Firefox 24 - * Update Torbutton to 1.6.5.1 - * Bug 10352: Clear FF24 Private Browsing Mode data during New Identity - * Bug 8167: Update cache isolation for FF24 API changes - * Bug 10201: FF ESR 24 hangs during exit on Mac OS - * Bug 10078: Properly clear crypto tokens during New Identity on FF24 - * Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24 - * Linux - * Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros) - -Tor Browser Bundle 3.0rc1 -- Nov 21 2013 - * All Platforms: - * Update Firefox to 17.0.11esr - * Update Tor to 0.2.4.18-rc - * Remove unsupported PDF.JS addon from the bundle - * Bug #7277: TBB's Tor client will now omit its timestamp in the TLS handshake. - * Update Torbutton to 1.6.4.1 - * Bug #10002: Make the TBB3.0 blog tag our update download URL for now - * Windows - * Bug #10102: Patch binutils to remove nondeterministic bytes in compiled binaries - * Linux - * Bug #10049: Fix architecture check to work from outside TBB's directory - * Bug #10126: Remove libz and firefox-bin, and strip unstripped binaries - * Misc: Disable Firefox updater during compile time (in addition to pref) - -Tor Browser Bundle 3.0beta1 -- Oct 31 2013 - * All Platforms: - * Update Firefox to 17.0.10esr - * Update NoScript to 2.6.8.2 - * Update HTTPS-Everywhere to 3.4.2 - * Bug #9114: Reorganize the bundle directory structure to ease future - autoupdates - * Bug #9173: Patch Tor Browser to auto-detect profile directory if - launched without the wrapper script. - * Bug #9012: Hide Tor Browser infobar for missing plugins. - * Bug #8364: Change the default entry page for the addons tab to the - installed addons page. - * Bug #9867: Make flash objects really be click-to-play if flash is enabled. - * Bug #8292: Make getFirstPartyURI log+handle errors internally to simplify - caller usage of the API - * Bug #3661: Remove polipo and privoxy from the banned ports list. - * misc: Fix a potential memory leak in the Image Cache isolation - * misc: Fix a potential crash if OS theme information is ever absent - * Update Tor-Launcher to 0.2.3.1-beta - * Bug #9114: Handle new directory structure - * misc: Tor Launcher now supports Thunderbird - * Update Torbutton to 1.6.4 - * Bug #9224: Support multiple Tor socks ports for about:tor status check - * Bug #9587: Add TBB version number to about:tor - * Bug #9144: Workaround to handle missing translation properties - * Windows: - * Bug #9084: Fix startup crash on Windows XP. - * Linux: - * Bug #9487: Create detached debuginfo files for Linux Tor and Tor - Browser binaries. - -Tor Browser Bundle 3.0alpha4 -- Sep 24 2013 - * All Platforms: - * Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections - * Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache - isolation and SSL Observatory - * Update Firefox to 17.0.9esr - * Update Tor to 0.2.4.17-rc - * Update NoScript to 2.6.7.1 - * Update Tor-Launcher to 0.2.2-alpha - * Bug #9675: Provide feedback mechanism for clock-skew and other early - startup issues - * Bug #9445: Allow user to enter bridges with or without 'bridge' keyword - * Bug #9593: Use UTF16 for Tor process launch to handle unicode paths. - * misc: Detect when Tor exits and display appropriate notification - * Update Torbutton to 1.6.2.1 - * Bug 9492: Fix Torbutton logo on OSX and Windows (and related - initialization code) - * Bug 8839: Disable Google/Startpage search filters using Tor-specific urls - - -Tor Browser Bundle 3.0alpha3 -- Aug 01 2013 - * All Platforms: - * Update Firefox to 17.0.8esr - * Update Tor to 0.2.4.15-rc - * Update HTTPS-Everywhere to 3.3.1 - * Update NoScript to 2.6.6.9 - * Improve build input fetching and authentication - * Bug #9283: Update NoScript prefs for usability. - * Bug #6152 (partial): Disable JSCtypes support at compile time - * Update Torbutton to 1.6.1 - * Bug 8478: Change when window resize code fires to avoid rounding errors - * Bug 9331: Hack an update URL for the next TBB release - * Bug 9144: Change an aboutTor.dtd string so transifex will accept it - * Update Tor-Launcher to 0.2.1-alpha - * Bug #9128: Remove dependency on JSCtypes - * Windows - * Bug #9195: Disable download manager AV scanning (to prevent cloud - reporting+scanning of downloaded files) - * Mac: - * Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app - (improves dock behavior). - - -Tor Browser Bundle 3.0alpha2 -- June 27 2013 - * All Platforms: - * Update Firefox to 17.0.7esr - * Update Tor to 0.2.4.14-alpha - * Include Tor's GeoIP file - * This should fix custom torrc issues with country-based node - restrictions - * Fix several build determinism issues - * Include ChangeLog in bundles. - * Linux: - * Use Ubuntu's 'hardening-wrapper' to build our Linux binaries - * Windows: - * Fix many crash issues by disabling Direct2D support for now. - * Mac: - * Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+ - -Tor Browser Bundle 3.0alpha1 -- June 17 2013 - * All Platforms: - * Remove Vidalia; Use the new Tor Launcher Firefox Addon instead - * Update Torbutton to 1.6.0 - * bug 7494: Create a local home page for TBB as about:tor - * misc: Perform a control port test of proper Tor configuration by default. - Only use https://check.torproject.org if the control port is - unavailable. - * misc: Add an icon menu option for Tor Launcher's Network Settings - * misc: Add branding string overrides (primarily controls browser name and - homepage) - * Update HTTPS-Everywhere to 3.2.2 - * Update NoScript to 2.6.6.6 - * Update PDF.JS to 0.8.1 - * Windows: - * Use MinGW-w64 (via Gitian) to cross-compile the bundles from Ubuntu - * Use TBB-Windows-Installer to guide Windows users through TBB extraction - * Temporarily disable WebGL and Accessibility support due to minor MinGW - issues - * Mac: - * Use 'Toolchain4' fork by Ray Donnelley to cross-compile the bundles from - Ubuntu - - +Tor Browser 5.5a5-hardened -- December 16 2015 + * All Platforms + * Update Firefox to 38.5.0esr + * Update Tor to 0.2.7.6 + * Update OpenSSL to 1.0.1q + * Update NoScript to 2.7 + * Update Torbutton to 1.9.4.2 + * Bug 16940: After update, load local change notes + * Bug 16990: Avoid matching '250 ' to the end of node name + * Bug 17565: Tor fundraising campaign donation banner + * Bug 17770: Fix alignments on donation banner + * Bug 17792: Include donation banner in some non en-US Tor Browsers + * Bug 17108: Polish about:tor appearance + * Bug 17568: Clean up tor-control-port.js + * Translation updates + * Update Tor Launcher to 0.2.8.1 + * Bug 17344: Enumerate available language packs for language prompt + * Code clean-up + * Translation updates + * Bug 12516: Compile Tor Browser with -fwrapv + * Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875) + * Bug 15564: Isolate SharedWorkers by first-party domain + * Bug 16940: After update, load local change notes + * Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313) + * Bug 17747: Add ndnop3 as new default obfs4 bridge + * Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646) + * Bug 17369: Disable RC4 fallback + * Bug 17442: Remove custom updater certificate pinning + * Bug 16863: Avoid confusing error when loop.enabled is false + * Bug 17502: Add a preference for hiding "Open with" on download dialog + * Bug 17446: Prevent canvas extraction by third parties (fixup of #6253) + * Bug 16441: Suppress "Reset Tor Browser" prompt diff --git a/gitian/versions.alpha b/gitian/versions.alpha index da69f65..511ea05 100755 --- a/gitian/versions.alpha +++ b/gitian/versions.alpha @@ -11,14 +11,14 @@ MULTI_LINGUAL=1 VERIFY_TAGS=1 -FIREFOX_VERSION=38.4.0esr +FIREFOX_VERSION=38.5.0esr TORBROWSER_UPDATE_CHANNEL=hardened TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.5-1-build1 -TOR_TAG=tor-0.2.7.4-rc -TORLAUNCHER_TAG=0.2.8 -TORBUTTON_TAG=1.9.4.1 +TOR_TAG=tor-0.2.7.6 +TORLAUNCHER_TAG=0.2.8.1 +TORBUTTON_TAG=1.9.4.2 HTTPSE_TAG=5.1.1 NSIS_TAG=v0.3 ZLIB_TAG=v1.2.8 @@ -43,10 +43,10 @@ NOTOFONTS_TAG=720e34851382ee3c1ef024d8dffb68ffbfb234c2 GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux -OPENSSL_VER=1.0.1p +OPENSSL_VER=1.0.1q GMP_VER=5.1.3 FIREFOX_LANG_VER=$FIREFOX_VERSION -FIREFOX_LANG_BUILD=build2 +FIREFOX_LANG_BUILD=build1 BINUTILS_VER=2.24 GCC_VER=5.2.0 PYTHON_VER=2.7.5 @@ -66,7 +66,7 @@ NOTOCJKFONT_VER=1.004 ## File names for the source packages OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz GMP_PACKAGE=gmp-${GMP_VER}.tar.bz2 -NOSCRIPT_PACKAGE=noscript_security_suite-2.6.9.39-sm+fx+fn.xpi +NOSCRIPT_PACKAGE=noscript_security_suite-2.7-sm+fx+fn.xpi TOOLCHAIN4_PACKAGE=x86_64-apple-darwin10.tar.xz TOOLCHAIN4_OLD_PACKAGE=multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz OSXSDK_PACKAGE=MacOSX10.7.sdk.tar.gz @@ -91,13 +91,13 @@ NOTOCJKFONT_PACKAGE=NotoSansCJKsc-Regular.otf STIXMATHFONT_PACKAGE=STIXv1.1.1-latex.zip # Hashes for packages with weak sigs or no sigs -OPENSSL_HASH=bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 +OPENSSL_HASH=b3658b84e9ea606a5ded3c972a5517cd785282e7ea86b20c78aa4b773a047fb7 GMP_HASH=752079520b4690531171d0f4532e40f08600215feefede70b24fabdc6f1ab160 OSXSDK_HASH=da77bb0003fcca5ea8c4e8cb2da8828ded750c54afdcac29ec6f3b46ad5e3adf OSXSDK_OLD_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc TOOLCHAIN4_HASH=7b71bfe02820409b994c5c33a7eab81a81c72550f5da85ff7af70da3da244645 TOOLCHAIN4_OLD_HASH=65c1b2d302358a6b95a26c6828a66908a199276193bb0b268f2dcc1a997731e9 -NOSCRIPT_HASH=dd904c6a12a8b1f6b1da48d51e4df903d7f9211ba5b3f32d7272f413a3bf548a +NOSCRIPT_HASH=ab84fd85addd6c15f2ce1e81c58ac9f09b228f9e56703f4d938447b8a2b752ea MSVCR100_HASH=1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067 PYCRYPTO_HASH=f2ce1e989b272cfcb677616763e0a2e7ec659effa67a88aa92b3a65528f60a3c ARGPARSE_HASH=ddaf4b0a618335a32b6664d4ae038a1de8fbada3b25033f9021510ed2b3941a4 diff --git a/tools/update-responses/config.yml b/tools/update-responses/config.yml index 7eddcac..4244d87 100644 --- a/tools/update-responses/config.yml +++ b/tools/update-responses/config.yml @@ -9,7 +9,7 @@ build_targets: osx32: Darwin_x86-gcc3 osx64: Darwin_x86_64-gcc3 channels: - hardened: 5.5a4-hardened + hardened: 5.5a5-hardened release: 5.0 versions: 5.0: @@ -23,10 +23,12 @@ versions: osx32: minSupportedOSVersion: 10.8 detailsURL: https://blog.torproject.org/blog/end-life-plan-tor-browser-32-bit-macs#upda… - 5.5a4-hardened: - platformVersion: 38.4.0 - detailsURL: https://blog.torproject.org/blog/tor-browser-55a4-hardened-released - download_url: https://www.torproject.org/dist/torbrowser/5.5a4-hardened + 5.5a5-hardened: + platformVersion: 38.5.0 + detailsURL: https://blog.torproject.org/blog/tor-browser-55a5-hardened-released + download_url: https://www.torproject.org/dist/torbrowser/5.5a5-hardened + incremental_from: + - 5.5a4-hardened migrate_archs: osx32: osx64 osx32:

1 0

[tor-browser/tor-browser-38.5.0esr-5.5-1] fixup! Regression tests for Bug 15564: Isolate SharedWorker by first party domain
by gk＠torproject.org 14 Dec '15

14 Dec '15

commit 07c085d76a70e9bb0ed81fe810936f7f2f659389 Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Sat Dec 12 15:22:20 2015 -0800 fixup! Regression tests for Bug 15564: Isolate SharedWorker by first party domain Fix an error in the comment --- dom/base/test/test_tor_bug15564.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom/base/test/test_tor_bug15564.html b/dom/base/test/test_tor_bug15564.html index b8f7544..ccc749e 100644 --- a/dom/base/test/test_tor_bug15564.html +++ b/dom/base/test/test_tor_bug15564.html @@ -98,7 +98,7 @@ let sharedWorkerTest = function* (isolationOn, domainA, domainB, child_page) { // ## The main test // Run a coroutine that tests various combinations of domains -// methods, and isolation states for sharing (or not sharing) SharedWorkers. +// and isolation states for sharing (or not sharing) SharedWorkers. spawnTask(function* () { let domainA = domain1; for (let isolate of [false, true]) {

1 0

[tor-browser-bundle/master] Update Changelog
by gk＠torproject.org 12 Dec '15

12 Dec '15

commit 16950f7e29151ca3ebb230d2237128c6882b1930 Author: Georg Koppen <gk(a)torproject.org> Date: Sat Dec 12 21:33:10 2015 +0000 Update Changelog --- Bundle-Data/Docs/ChangeLog.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Bundle-Data/Docs/ChangeLog.txt b/Bundle-Data/Docs/ChangeLog.txt index 9d34a21..237fdf9 100644 --- a/Bundle-Data/Docs/ChangeLog.txt +++ b/Bundle-Data/Docs/ChangeLog.txt @@ -14,10 +14,10 @@ Tor Browser 5.5a5 -- December 15 2015 * Bug 17568: Clean up tor-control-port.js * Translation updates * Update Tor Launcher to 0.2.8.1 - * Bug 17344: enumerate available language packs for language prompt + * Bug 17344: Enumerate available language packs for language prompt * Code clean-up * Translation updates - * Bug 9659: Avoid loop due to optimistic data socks code (fix of #3875) + * Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875) * Bug 15564: Isolate SharedWorkers by first-party domain * Bug 16940: After update, load local change notes * Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313) @@ -29,9 +29,9 @@ Tor Browser 5.5a5 -- December 15 2015 * Bug 17502: Add a preference for hiding "Open with" on download dialog * Bug 17446: Prevent canvas extraction by third parties (fixup of #6253) * Bug 16441: Suppress "Reset Tor Browser" prompt - * Bug 17250: Fix broken Japanese fonts * Windows - * Bug 13819: Ship expert bundles with console + * Bug 13819: Ship expert bundles with console enabled + * Bug 17250: Fix broken Japanese fonts * OS X * Bug 17661: Whitelist font .Helvetica Neue DeskInterface

1 0

[tor-browser-bundle/master] Update changelog
by gk＠torproject.org 12 Dec '15

12 Dec '15

commit 876e23b12d044bd5c68deec7484dd7bab2e0bf75 Author: Georg Koppen <gk(a)torproject.org> Date: Sat Dec 12 20:55:21 2015 +0000 Update changelog --- Bundle-Data/Docs/ChangeLog.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Bundle-Data/Docs/ChangeLog.txt b/Bundle-Data/Docs/ChangeLog.txt index 335417f..9d34a21 100644 --- a/Bundle-Data/Docs/ChangeLog.txt +++ b/Bundle-Data/Docs/ChangeLog.txt @@ -18,6 +18,7 @@ Tor Browser 5.5a5 -- December 15 2015 * Code clean-up * Translation updates * Bug 9659: Avoid loop due to optimistic data socks code (fix of #3875) + * Bug 15564: Isolate SharedWorkers by first-party domain * Bug 16940: After update, load local change notes * Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313) * Bug 17747: Add ndnop3 as new default obfs4 bridge @@ -28,8 +29,11 @@ Tor Browser 5.5a5 -- December 15 2015 * Bug 17502: Add a preference for hiding "Open with" on download dialog * Bug 17446: Prevent canvas extraction by third parties (fixup of #6253) * Bug 16441: Suppress "Reset Tor Browser" prompt + * Bug 17250: Fix broken Japanese fonts * Windows * Bug 13819: Ship expert bundles with console + * OS X + * Bug 17661: Whitelist font .Helvetica Neue DeskInterface Tor Browser 5.5a4 -- November 3 2015 * All Platforms

1 0

[tor-browser/tor-browser-38.4.0esr-5.5-1] Bug 15564: Isolate SharedWorker by first party domain
by gk＠torproject.org 12 Dec '15

12 Dec '15

commit 67173fc914d1fb17b942e8f7b1c9de770a21a347 Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Thu Oct 8 12:45:37 2015 -0700 Bug 15564: Isolate SharedWorker by first party domain --- dom/workers/RuntimeService.cpp | 27 ++++++++++++++++++++------- dom/workers/RuntimeService.h | 5 ++++- dom/workers/WorkerPrivate.cpp | 5 +++++ dom/workers/WorkerPrivate.h | 8 ++++++++ 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/dom/workers/RuntimeService.cpp b/dom/workers/RuntimeService.cpp index 271c74f..4f5f363 100644 --- a/dom/workers/RuntimeService.cpp +++ b/dom/workers/RuntimeService.cpp @@ -64,6 +64,7 @@ #include "WorkerPrivate.h" #include "WorkerRunnable.h" #include "WorkerThread.h" +#include "ThirdPartyUtil.h" #ifdef ENABLE_TESTS #include "BackgroundChildImpl.h" @@ -269,11 +270,13 @@ GetWorkerPref(const nsACString& aPref, // This function creates a key for a SharedWorker composed by "name|scriptSpec". // If the name contains a '|', this will be replaced by '||'. void -GenerateSharedWorkerKey(const nsACString& aScriptSpec, const nsACString& aName, +GenerateSharedWorkerKey(const nsACString& aScriptSpec, + const nsACString& aIsolationKey, + const nsACString& aName, nsCString& aKey) { aKey.Truncate(); - aKey.SetCapacity(aScriptSpec.Length() + aName.Length() + 1); + aKey.SetCapacity(aScriptSpec.Length() + aName.Length() + aIsolationKey.Length() + 2); nsACString::const_iterator start, end; aName.BeginReading(start); @@ -288,6 +291,9 @@ GenerateSharedWorkerKey(const nsACString& aScriptSpec, const nsACString& aName, aKey.Append('|'); aKey.Append(aScriptSpec); + + aKey.Append('|'); + aKey.Append(aIsolationKey); } void @@ -1402,13 +1408,16 @@ RuntimeService::RegisterWorker(JSContext* aCx, WorkerPrivate* aWorkerPrivate) if (isSharedOrServiceWorker) { const nsCString& sharedWorkerName = aWorkerPrivate->SharedWorkerName(); + const nsCString& isolationKey = aWorkerPrivate->IsolationKey(); nsAutoCString key; - GenerateSharedWorkerKey(sharedWorkerScriptSpec, sharedWorkerName, key); + GenerateSharedWorkerKey(sharedWorkerScriptSpec, isolationKey, sharedWorkerName, key); MOZ_ASSERT(!domainInfo->mSharedWorkerInfos.Get(key)); SharedWorkerInfo* sharedWorkerInfo = - new SharedWorkerInfo(aWorkerPrivate, sharedWorkerScriptSpec, + new SharedWorkerInfo(aWorkerPrivate, + sharedWorkerScriptSpec, + isolationKey, sharedWorkerName); domainInfo->mSharedWorkerInfos.Put(key, sharedWorkerInfo); } @@ -1509,7 +1518,9 @@ RuntimeService::UnregisterWorker(JSContext* aCx, WorkerPrivate* aWorkerPrivate) if (match.mSharedWorkerInfo) { nsAutoCString key; GenerateSharedWorkerKey(match.mSharedWorkerInfo->mScriptSpec, - match.mSharedWorkerInfo->mName, key); + match.mSharedWorkerInfo->mIsolationKey, + match.mSharedWorkerInfo->mName, + key); domainInfo->mSharedWorkerInfos.Remove(key); } } @@ -2293,7 +2304,7 @@ RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext* aCx, NS_ENSURE_SUCCESS(rv, rv); nsAutoCString key; - GenerateSharedWorkerKey(scriptSpec, aName, key); + GenerateSharedWorkerKey(scriptSpec, aLoadInfo->mIsolationKey, aName, key); if (mDomainMap.Get(aLoadInfo->mDomain, &domainInfo) && domainInfo->mSharedWorkerInfos.Get(key, &sharedWorkerInfo)) { @@ -2368,7 +2379,9 @@ RuntimeService::ForgetSharedWorker(WorkerPrivate* aWorkerPrivate) if (match.mSharedWorkerInfo) { nsAutoCString key; GenerateSharedWorkerKey(match.mSharedWorkerInfo->mScriptSpec, - match.mSharedWorkerInfo->mName, key); + match.mSharedWorkerInfo->mIsolationKey, + match.mSharedWorkerInfo->mName, + key); domainInfo->mSharedWorkerInfos.Remove(key); } } diff --git a/dom/workers/RuntimeService.h b/dom/workers/RuntimeService.h index 94bff10..8036b60 100644 --- a/dom/workers/RuntimeService.h +++ b/dom/workers/RuntimeService.h @@ -34,12 +34,15 @@ class RuntimeService final : public nsIObserver { WorkerPrivate* mWorkerPrivate; nsCString mScriptSpec; + nsCString mIsolationKey; nsCString mName; SharedWorkerInfo(WorkerPrivate* aWorkerPrivate, const nsACString& aScriptSpec, + const nsACString& aIsolationKey, const nsACString& aName) - : mWorkerPrivate(aWorkerPrivate), mScriptSpec(aScriptSpec), mName(aName) + : mWorkerPrivate(aWorkerPrivate), mScriptSpec(aScriptSpec), + mIsolationKey(aIsolationKey), mName(aName) { } }; diff --git a/dom/workers/WorkerPrivate.cpp b/dom/workers/WorkerPrivate.cpp index 7057b3a..5d0064b 100644 --- a/dom/workers/WorkerPrivate.cpp +++ b/dom/workers/WorkerPrivate.cpp @@ -4355,6 +4355,7 @@ WorkerPrivate::GetLoadInfo(JSContext* aCx, nsPIDOMWindow* aWindow, } loadInfo.mDomain = aParent->Domain(); + loadInfo.mIsolationKey = aParent->IsolationKey(); loadInfo.mFromWindow = aParent->IsFromWindow(); loadInfo.mWindowID = aParent->WindowID(); loadInfo.mIndexedDBAllowed = aParent->IsIndexedDBAllowed(); @@ -4421,6 +4422,10 @@ WorkerPrivate::GetLoadInfo(JSContext* aCx, nsPIDOMWindow* aWindow, loadInfo.mBaseURI = document->GetDocBaseURI(); loadInfo.mLoadGroup = document->GetDocumentLoadGroup(); + nsCString isolationKey; + ThirdPartyUtil::GetFirstPartyHost(document, isolationKey); + loadInfo.mIsolationKey = isolationKey; + // Use the document's NodePrincipal as our principal if we're not being // called from chrome. if (!loadInfo.mPrincipal) { diff --git a/dom/workers/WorkerPrivate.h b/dom/workers/WorkerPrivate.h index a684e6d..a84407c 100644 --- a/dom/workers/WorkerPrivate.h +++ b/dom/workers/WorkerPrivate.h @@ -169,6 +169,7 @@ public: nsAutoPtr<PrincipalInfo> mPrincipalInfo; nsCString mDomain; + nsCString mIsolationKey; uint64_t mWindowID; @@ -218,6 +219,7 @@ public: mPrincipalInfo = aOther.mPrincipalInfo.forget(); mDomain = aOther.mDomain; + mIsolationKey = aOther.mIsolationKey; mWindowID = aOther.mWindowID; mFromWindow = aOther.mFromWindow; mEvalAllowed = aOther.mEvalAllowed; @@ -532,6 +534,12 @@ public: return mLoadInfo.mDomain; } + const nsCString& + IsolationKey() const + { + return mLoadInfo.mIsolationKey; + } + bool IsFromWindow() const {

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

tbb-commits December 2015