commit b7bf572b77a1c355473204a79da912d2333e392f Author: Piero V vogliadifarniente@gmail.com Date: Fri Jan 7 12:49:02 2022 +0100

Fixed tests for Tor Browser 11/Firefox 91.

Canged fp_navigator and fp_useragent to test with the correct version.

The screen dimensions test was failing because letterboxing is disabled on about:pages (I checked with Richard, and this is the indended behavior). Therefore, the test is now run on a TPO page, and it passes.

Updated the settings test, to check for new settings (see tor-browser!215), and not to check anymore for deprecated and removed settings (see tor-browser#40177).

As a result of these settings changes, some DOM objects are now exposed: * pointer events * gamepads * applicationCache * visualViewport However, Tor Browser already contains mitigatins against their use for fingerprinting (e.g., gamepads do not work, Mozilla added some protections to pointer events for Bugzilla#1363508, letterboxing should prevent fingerprinting on visualViewport, cache storage is 0 bytes, etc...). Some other DOM objects are just new (e.g., clientInformation).

Finally, HTTPS everywhere test failed because now Firefox redirects to HTTPS if available, even when HTTPS-Only Mode is not enabled. To detect if HTTPS everywhere is actually the responsible of the redirect, we need to run it with dom.security.https_first_pbm set to false. --- .../test_dom-objects-enumeration.py | 21 ++++++++-- marionette/tor_browser_tests/test_fp_navigator.py | 3 +- .../tor_browser_tests/test_fp_screen_dimensions.py | 2 + marionette/tor_browser_tests/test_fp_useragent.py | 3 +- .../tor_browser_tests/test_https-everywhere.py | 7 +++- marionette/tor_browser_tests/test_settings.py | 48 +++++++++++++++------- 6 files changed, 62 insertions(+), 22 deletions(-)

diff --git a/marionette/tor_browser_tests/test_dom-objects-enumeration.py b/marionette/tor_browser_tests/test_dom-objects-enumeration.py index 26ff945..666e9b0 100644 --- a/marionette/tor_browser_tests/test_dom-objects-enumeration.py +++ b/marionette/tor_browser_tests/test_dom-objects-enumeration.py @@ -17,6 +17,7 @@ class Test(testsuite.TorBrowserTest): "AbortSignal", "AbstractRange", "addEventListener", + "applicationCache", "alert", "Animation", "AnimationEffect", @@ -61,6 +62,7 @@ class Test(testsuite.TorBrowserTest): "CharacterData", "clearInterval", "clearTimeout", + "clientInformation", "Clipboard", "ClipboardEvent", "close", @@ -368,6 +370,7 @@ class Test(testsuite.TorBrowserTest): "NotifyPaintEvent", "Number", "Object", + "OfflineResourceList", "onabort", "onabsolutedeviceorientation", "onafterprint", @@ -376,6 +379,7 @@ class Test(testsuite.TorBrowserTest): "onanimationiteration", "onanimationstart", "onauxclick", + "onbeforeinput", "onbeforeprint", "onbeforeunload", "onblur", @@ -387,10 +391,8 @@ class Test(testsuite.TorBrowserTest): "oncontextmenu", "oncuechange", "ondblclick", - "ondevicelight", "ondevicemotion", "ondeviceorientation", - "ondeviceproximity", "ondrag", "ondragend", "ondragenter", @@ -405,6 +407,9 @@ class Test(testsuite.TorBrowserTest): "onerror", "onfocus", "onformdata", + "ongamepadconnected", + "ongamepaddisconnected", + "ongotpointercapture", "onhashchange", "oninput", "oninvalid", @@ -417,6 +422,7 @@ class Test(testsuite.TorBrowserTest): "onloadedmetadata", "onloadend", "onloadstart", + "onlostpointercapture", "onmessage", "onmessageerror", "onmousedown", @@ -435,6 +441,14 @@ class Test(testsuite.TorBrowserTest): "onpause", "onplay", "onplaying", + "onpointercancel", + "onpointerdown", + "onpointerenter", + "onpointerleave", + "onpointermove", + "onpointerout", + "onpointerover", + "onpointerup", "onpopstate", "onprogress", "onratechange", @@ -459,7 +473,6 @@ class Test(testsuite.TorBrowserTest): "ontransitionstart", "onunhandledrejection", "onunload", - "onuserproximity", "onvolumechange", "onwaiting", "onwebkitanimationend", @@ -498,6 +511,7 @@ class Test(testsuite.TorBrowserTest): "personalbar", "Plugin", "PluginArray", + "PointerEvent", "PopStateEvent", "PopupBlockedEvent", "postMessage", @@ -713,6 +727,7 @@ class Test(testsuite.TorBrowserTest): "ValidityState", "valueOf", "VideoPlaybackQuality", + "visualViewport", "VisualViewport", "VTTCue", "VTTRegion", diff --git a/marionette/tor_browser_tests/test_fp_navigator.py b/marionette/tor_browser_tests/test_fp_navigator.py index 91dc951..e976d85 100644 --- a/marionette/tor_browser_tests/test_fp_navigator.py +++ b/marionette/tor_browser_tests/test_fp_navigator.py @@ -56,7 +56,8 @@ class Test(MarionetteTestCase): app_version = "5.0 (Macintosh)" platform = "MacIntel" oscpu = "Intel Mac OS X 10.13" - nav_props["userAgent"] = "Mozilla/5.0 (" + ua_os + "; rv:78.0) Gecko/20100101 Firefox/78.0" + ua_ver = '91.0' + nav_props["userAgent"] = "Mozilla/5.0 (" + ua_os + "; rv:" + ua_ver + ") Gecko/20100101 Firefox/" + ua_ver nav_props["appVersion"] = app_version nav_props["platform"] = platform nav_props["oscpu"] = oscpu diff --git a/marionette/tor_browser_tests/test_fp_screen_dimensions.py b/marionette/tor_browser_tests/test_fp_screen_dimensions.py index 2e0af6d..48de4d6 100644 --- a/marionette/tor_browser_tests/test_fp_screen_dimensions.py +++ b/marionette/tor_browser_tests/test_fp_screen_dimensions.py @@ -3,6 +3,8 @@ from marionette_harness import MarionetteTestCase class Test(MarionetteTestCase): def test_screen_dims(self): with self.marionette.using_context('content'): + self.marionette.navigate('https://check.torproject.org/') + # https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/src/current-patches/... js = self.marionette.execute_script # check that availWidth and availHeight are equal to window innerWidth and innerHeight diff --git a/marionette/tor_browser_tests/test_fp_useragent.py b/marionette/tor_browser_tests/test_fp_useragent.py index 5b32bb3..13da933 100644 --- a/marionette/tor_browser_tests/test_fp_useragent.py +++ b/marionette/tor_browser_tests/test_fp_useragent.py @@ -15,5 +15,6 @@ class Test(MarionetteTestCase): ua_os = 'Windows NT 6.1; Win64; x64' if osname == 'MacOSX': ua_os = 'Macintosh; Intel Mac OS X 10.13' - self.assertEqual("Mozilla/5.0 (" + ua_os + "; rv:78.0) Gecko/20100101 Firefox/78.0", + ua_ver = '91.0' + self.assertEqual("Mozilla/5.0 (" + ua_os + "; rv:" + ua_ver + ") Gecko/20100101 Firefox/" + ua_ver, js("return navigator.userAgent")) diff --git a/marionette/tor_browser_tests/test_https-everywhere.py b/marionette/tor_browser_tests/test_https-everywhere.py index 7819771..443c9a6 100644 --- a/marionette/tor_browser_tests/test_https-everywhere.py +++ b/marionette/tor_browser_tests/test_https-everywhere.py @@ -10,8 +10,8 @@ class Test(MarionetteTestCase): ts = testsuite.TestSuite() self.ts = ts

- self.HTTP_URL = "http://httpbin.org/" - self.HTTPS_URL = "https://httpbin.org/" + self.HTTP_URL = "http://https-everywhere.badssl.com/redirect-test/status.svg" + self.HTTPS_URL = "https://https-everywhere.badssl.com/redirect-test/status.svg"

self.is_disabled = self.ts.t['test']['name'] == 'https-everywhere-disabled'

@@ -51,6 +51,9 @@ class Test(MarionetteTestCase): lambda _: m.execute_script("return OnionAliasStore._onionMap.size;") > 0)

with self.marionette.using_context('content'): + # Even without HTTPS Everywhere, Firefox checks if HTTPS is + # available, with this set to true + self.marionette.set_pref('dom.security.https_first_pbm', False) self.marionette.navigate(self.HTTP_URL)

if not self.is_disabled: diff --git a/marionette/tor_browser_tests/test_settings.py b/marionette/tor_browser_tests/test_settings.py index f24cdd0..86dfe77 100644 --- a/marionette/tor_browser_tests/test_settings.py +++ b/marionette/tor_browser_tests/test_settings.py @@ -32,11 +32,13 @@ class Test(MarionetteTestCase): # Disk activity: Disable Browsing History Storage "browser.privatebrowsing.autostart": True, "browser.cache.disk.enable": False, - "browser.cache.offline.enable": False, "permissions.memory_only": True, "network.cookie.lifetimePolicy": 2, "security.nocertdb": True,

+ # Enabled LSNG + "dom.storage.next_gen": True, + # Disk activity: TBB Directory Isolation "browser.download.useDownloadDir": False, "browser.shell.checkDefaultBrowser": False, @@ -60,6 +62,9 @@ class Test(MarionetteTestCase): "datareporting.policy.dataSubmissionEnabled": False, "security.mixed_content.block_active_content": True, # Activated with bug #21323

+ # Bug 40083: Make sure Region.jsm fetching is disabled + "browser.region.update.enabled": False, + # Make sure Unified Telemetry is really disabled, see: #18738. "toolkit.telemetry.unified": False, "toolkit.telemetry.enabled": True if ts.t["tbbinfos"]["version"].startswith("tbb-nightly") else False, @@ -75,10 +80,8 @@ class Test(MarionetteTestCase): "privacy.trackingprotection.pbmode.enabled": False, # Disable the Pocket extension (Bug #18886 and #31602) "extensions.pocket.enabled": False, - "network.http.referer.hideOnionSource": True,

# Fingerprinting - "webgl.disable-extensions": True, "webgl.disable-fail-if-major-performance-caveat": True, "webgl.enable-webgl2": False, "gfx.downloadable_fonts.fallback_delay": -1, @@ -91,22 +94,38 @@ class Test(MarionetteTestCase): "privacy.resistFingerprinting.block_mozAddonManager": True, # Bug 26114 "dom.webaudio.enabled": False, # Bug 13017: Disable Web Audio API "dom.w3c_touch_events.enabled": 0, # Bug 10286: Always disable Touch API - "dom.w3c_pointer_events.enabled": False, "dom.vr.enabled": False, # Bug 21607: Disable WebVR for now # Disable randomised Firefox HTTP cache decay user test groups (Bug: 13575) "security.webauth.webauthn": False, # Bug 26614: Disable Web Authentication API for now + # Disable SAB, no matter if the sites are cross-origin isolated. + "dom.postMessage.sharedArrayBuffer.withCOOP_COEP": False, + "network.http.referer.hideOnionSource": True, + # Bug 40463: Disable Windows SSO + "network.http.windows-sso.enabled": False, + # Bug 40383: Disable new PerformanceEventTiming + "dom.enable_event_timing": False, + # Disable API for measuring text width and height. + "dom.textMetrics.actualBoundingBox.enabled": False, + "dom.textMetrics.baselines.enabled": False, + "dom.textMetrics.emHeight.enabled": False, + "dom.textMetrics.fontBoundingBox.enabled": False, + "pdfjs.enableScripting": False,

# Third party stuff "network.cookie.cookieBehavior": 1, "privacy.firstparty.isolate": True, "network.http.spdy.allow-push": False, # Disabled for now. See https://bugs.torproject.org/27127 "network.predictor.enabled": False, # Temporarily disabled. See https://bugs.torproject.org/16633 + # Bug 40177: Make sure tracker cookie purging is disabled + "privacy.purge_trackers.enabled": False,

# Proxy and proxy security "network.proxy.socks": "127.0.0.1", "network.proxy.socks_remote_dns": True, "network.proxy.no_proxies_on": "", # For fingerprinting and local service vulns (#10419) "network.proxy.type": 1, + # Bug 40548: Disable proxy-bypass + "network.proxy.failover_direct": False, "network.security.ports.banned": "9050,9051,9150,9151", "network.dns.disablePrefetch": True, "network.protocol-handler.external-default": False, @@ -118,7 +137,6 @@ class Test(MarionetteTestCase): "network.protocol-handler.warn-external.news": True, "network.protocol-handler.warn-external.nntp": True, "network.protocol-handler.warn-external.snews": True, - "plugin.state.flash": 0, "media.peerconnection.enabled": False, # Disable WebRTC interfaces # Disables media devices but only if `media.peerconnection.enabled` is set to # `false` as well. (see bug 16328 for this defense-in-depth measure) @@ -173,14 +191,14 @@ class Test(MarionetteTestCase): # extensions.enabledScopes is set to 5 by marionette_driver #"extensions.enabledScopes": 1, "extensions.pendingOperations": False, - "xpinstall.whitelist.add": "", - "xpinstall.whitelist.add.36": "", # We don't know what extensions Mozilla is advertising to our users and we # don't want to have some random Google Analytics script running either on the # about:addons page, see bug 22073 and 22900. "extensions.getAddons.showPane": False, # Bug 26114: Allow NoScript to access addons.mozilla.org etc. "extensions.webextensions.restrictedDomains": "", + # Don't give Mozilla-recommended third-party extensions special privileges. + "extensions.postDownloadThirdPartyPrompt": False,

"dom.enable_resource_timing": False,

@@ -190,16 +208,12 @@ class Test(MarionetteTestCase): # Enforce certificate pinning, see: https://bugs.torproject.org/16206 "security.cert_pinning.enforcement_level": 2,

+ # Don't load OS client certs. + "security.osclientcerts.autoload": False, + # Don't allow MitM via Microsoft Family Safety, see bug 21686 "security.family_safety.mode": 0,

- # Disable the language pack signing check for now, see: bug 26465 - - # Avoid report TLS errors to Mozilla. We might want to repurpose this feature - # one day to help detecting bad relays (which is bug 19119). For now we just - # hide the checkbox, see bug 22072. - "security.ssl.errorReporting.enabled": False, - # Workaround for https://bugs.torproject.org/13579. Progress on # `about:downloads` is only shown if the following preference is set to `true` # in case the download panel got removed from the toolbar. @@ -211,7 +225,7 @@ class Test(MarionetteTestCase): # checking torbrowser.version match the version from the filename "torbrowser.version": ts.t["tbbinfos"]["version"],

- "startup.homepage_override_url": "https://blog.torproject.org/category/tags/tor-browser", + "startup.homepage_override_url": "https://blog.torproject.org/category/applications",

# Disable network information API everywhere # but, alas, the behavior is inconsistent across platforms, see: @@ -220,6 +234,10 @@ class Test(MarionetteTestCase): "dom.netinfo.enabled": False, }

+ MOZ_BUNDLED_FONTS = True + if MOZ_BUNDLED_FONTS: + self.SETTINGS["gfx.bundled-fonts.activate"] = 1 + # Settings for the Tor Browser 8.0 self.SETTINGS_80 = { }