Hi,
the first Tor Browser based on Firefox ESR 38 is ready for testing and can be found at:
https://people.torproject.org/~gk/builds/5.0a3-build5/
Tor Browser 5.0a3 is based on Firefox 38.1.0esr. We needed to modify some of the new APIs and capabilities in order to neuter fingerprinting an tracking risks. Details about it can be found in the changelog below. While we think we have fixed the most crucial issues there is still a way to go before we can switch to ESR 38 for our stable series. The open tickets currently on our radar can be found at:
https://trac.torproject.org/projects/tor/query?status=accepted&status=as...
In order to get Tor Browser built at all we needed to update our toolchain on OS X using now the OS X 10.7 SDK. For Linux and Windows we switched to GCC 5.1 as our new (cross)-compiler. We are therefore especially interested in feedback if there are stability issues or broken Tor Browser bundles due to this toolchain upgrade.
Besides these two major changes there are a lot of other things that got improved. Most notably, we bumped OpenSSL to version 1.0.1o, NoScript to version 2.6.9.27 and Torbutton to version 1.9.3.0. Included as well is a backported Tor patch to improve usability on websites and we fixed a crash bug impacting users with the security slider level set to "High".
Here is the full changelog:
Tor Browser 5.0a3 -- June 30 2015 * All Platforms * Update Firefox to 38.1.0esr * Update OpenSSL to 1.0.1o * Update NoScript to 2.6.9.27 * Tor patch backport * Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com) * Update Torbutton to 1.9.3.0 * Bug 16403: Set search parameters for Disconnect * Bug 14429: Make sure the automatic resizing is disabled * Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1) * Bug 16200: Update Cache API usage and prefs for FF38 * Bug 16357: Use Mozilla API to wipe permissions db * Translation updates * Update Tor Launcher to 0.2.6.7 * Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1) * Bug 15145: Visually distinguish "proxy" and "bridge" screens. * Translation updates * Bug 16397: Fix crash related to disabling SVG * Bug 16403: Set search parameters for Disconnect * Bug 16446: Update FTE bridge #1 fingerprint * Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent * Bug 16005: Relax WebGL minimal mode * Bug 16300: Isolate Broadcast Channels to first party * Bug 16439: Remove Roku screencasting code * Bug 16285: Disabling EME bits * Bug 16206: Enforce certificate pinning * Bug 15910: Disable GMPs for now * Bug 13670: Isolate OCSP requests by first party domain * Bug 16448: Isolate favicon requests by first party * Bug 7561: Disable FTP request caching * Bug 6503: Fix single-word URL bar searching * Bug 15526: ES6 page crashes Tor Browser * Bug 16254: Disable GeoIP-based search results. * Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads. * Bug 13024: Disable DOM Resource Timing API * Bug 16340: Disable User Timing API * Bug 14952: Disable HTTP/2 * Mac OS * Use OSX 10.7 SDK * Bug 16253: Tor Browser menu on OS X is broken with ESR 38 * Build System * Bug 16351: Upgrade our toolchain to use GCC 5.1 * Bug 15772 and child tickets: Update build system for Firefox 38
Georg