Security/Fusion/Esr140: Difference between revisions

Page with uplift information from Tor Browser 14 to mozilla-central before reaching esr140. Patches need to land before May 22 to ride the train normally. For 140 the effort focuses on privacy.resistFingerprinting and everything that doesn't require us to land the Tor proxy code.

This page is meant to have a more editable version of Tor uplift priorities.

Bug 1958496 is meant to track the progress on the project.

Automatic for linking tor patches with bugzilla bugs: Tor Browser Patches

Status

As usual, commit hashes will become outdated, and the most recent active branch should be considered.

P1: patches in Phab, blocked review

P2: need help from upstream!

• Bug 1746668: l10n leak important improvements, see comment 28 with a plan I outlined, we need approval, or to somehow review it and then get started with it
  • manuel: not sure who to ask right now, zibi left mozilla recently, so we need to find someone else to ask
• Bug 1944251: drop font.system.whitelist, make TB consistent with Firefox and improve compatibility (#43322)
• Bug 1397996: scrollbar leaks, we want an upstream take on it (tradeoffs with accessibility) (#22137)
• Bug 1676104: this is not a P1 only because it should affect UI and/or AC requests (e.g., addons?). Our current patch is BB 40171: Make WebRequest and GeckoWebExecutor First-Party aware (5240a3b5); see also #40171 (still open for uplift).
• Bug 1869821: intl.accept_languages is very dangerous. P2 only because Firefox has localized builds rather than multi-lingual like us and because we might want to talk about our patches first (BB 42084: Ensure English spoofing works even if preferences are set out of order. + BB 41930: Remove the UI to customize accept_languages., 2d23c333 and 79f3e7cd). Good analysis in #41930.
• BB 30605: Honor privacy.spoof_english in Android (160f0b8a), no Bug yet, as far as I know. We'll need some help from upstream because it needs also an additional part for the UI (TB 40087 [android]: Implement a switch for spoof English., 7e749377, for us), and I think we've never uplifted something user-exposed.
• BB 42562: Normalized the Accepted Languages on Android. (299ae962): this goes probably with spoof English. In any case, locale protection is pretty weak on Firefox, especially on Android (even though Android has a lot of other problems)
• Bug 1594455: LB styling/cosmetics. Our UX team investigated a lot and we think our LB is really good looking, but Moz UX team will probably want to check it first. We could also do it in multiple steps (e.g., rounded corner and vertical center first, custom background in another bug)
• Bug 1923368: disk leak, I'd like to force-inline more file types, not only PDFs (partially implemented downstream as BB 42220, b784ed28)
• Bug 1475811: nobody really understand how these speculative connections work . Downstream issue: #31075 and !797, to replace BB 26353: Prevent speculative connect that violated FPI. (775e0460)
• Bug 1428034: has something changed in the last 6 years? Our patch is BB 30541: Disable WebGL readPixel() for web content (44ff0b2c)
• What about Wayland and fingerprinting?
  • E.g., Bug 1940296 for vsync, but we currently force Wayland off because we don't know how fingerprintable it is
  • See also #42645
• TB 23247: Communicating security expectations for .onion (646be9d3): over the years, some patches have been uplifted for optionally treating .onion http as HTTPS. Can we resume the work also on that? Do we have a meta?

Build and vendoring

• Bug 1393901: WebRTC on mingw (various commits, #41021, #41459, #42758 (moved)). Our patches work, at least in ESR 128, but vendoring these 3rd party libs isn't trivial in Firefox, we might need help to prepare the patches as you like.
• Bug 1115874: make openh264 reproducible. We have the knowledge to do it, but we need to check how upstream wants to do it (#15910).
• Bug 1902067: official support for the gnullvm Rust target. We've been using it for almost a year now, with success (tor-browser-build#29320)

P3

Upliftable

Maybe with some help

• BB 42739: Use the brand name for profile error messages (41d4938d)
• BB 43101: Deep link to the startup security warning explanation. (73048f9b)
• BB 41854: Allow overriding download spam protection. and BB 42832: Download spam prevention exemption for browser extensions. (11b58475, c8e60400)
  • Might need some refinement: #43224
  • Might already have a MozBug?
• BB 42616: Remove VideoCaptureTest.kt. (e3174c36)
  • Cannot be uplifted as it is, we should exclude the file when MOZ_WEBRTC is false/undefined rather than deleting the file
• BB 33852: Clean up about:logins (LockWise) to avoid mentioning sync, etc. (f183b147)
  • Partially upliftable (the part to disable the create login with nocertdb)
• BB 40002: Remove about:ion (ea34c897): could probably use an environment variable or some compile flag...
• BB 42716: Disable unwanted about: pages (73f40837)
  • Partial (I like about:robots )
• BB 41599: Always return an empty string as network ID (888ca9a3), with MOZ_PROXY_BYPASS_PROTECTION?
• BB 28369: Stop shipping pingsender executable (69e3f90b), with the telemetry build flags
• BB 42070: Hide "Use smooth scrolling" from settings (8d84a9ea)
  • This needs proper wiring with RFP/FPP (related: Bug 1832598, Bug 1834307)
• BB 41739: Remove "Website appearance" from about:preferences. (b8cd05cc)
  • Also needs proper wiring with RFP/FPP
• BB 42774: Always hide the third-pary certs UI. (0c388363)
  • We could probably replace the base browser constant with nocertdb
• BB 33955: When copying an image only copy the image contents to the clipboard, maybe with a pref?
• BB 41791: Omit the source URL when copying page contents to the clipboard (33fc8474) with MOZ_PROXY_BYPASS_PROTECTION?
• Customize moz-toggle for tor-browser. (d999affc, #41333, #40837)
  • Some Bugs might already exist, but I don't know.
• TB 41822: Unconditionally disable default browser UX in about:preferences (05ac42bf) behind a pref?

Wish list

Solving these bugs would help us.

Maybe we have downstream patches that aren't directly upliftable, but they could help us

• Bug 1799153 to drop BB 41454, d953b1d0
• Bug 1895857 to drop BB 43072, 4e8ccc77
• Bug 1790187 to drop BB 41483, 2e8f8a65
• Bug 1940296 so that our pref becomes a defense-in-depth (#43236)
• Bug 1261591 as an official way to disable NTLM at build time (and replace BB 12974: Disable NTLM and Negotiate HTTP Auth, cef5b636; close #27602)
• Reconsider the LoadLibrary protection disabled in Bug 1869397
• Bug 1851968 to improve user experience when force-inlining PDFs (and possibly other files) (#42220)
• Bug 1909736, including proper wiring with the UI (for UI we have in BB 43117: Hide "Always underline links" from settings., 1df296b1)
• Bug 1429838, we have a patch (BB 27604: Fix addon issues when moving the profile directory, ddc87498) but according to the upstream review it isn't too good. Maybe we can start working again on this (but the patch is fine for us, I guess, so P3 rather than P1/P2?)
• Bug 1711084: this might be important for Firefox. We have a patch that doesn't work for Firefox (according to Tom) (BB 40432: Prevent probing installed applications, 4e946eeb). However, if we start working on it again, we might be able to create a patch that works both for Firefox and for Tor Browser.

P4

Changes to review first, and see if there's anything upstream can do, or patches that are worth mentioning, even though they're too specific to us to actually uplift.

• Bug 1763770 (part of Tweaks to the build system, f4c94fc4): we hack a Gradle file to generate fat AARs without a proper artifact setup
• BB 28125: Prevent non-Necko network connections (1211e4d7): maybe can we export the compile time flag for proxy bypass protections upstream?
• BB 16285: Exclude ClearKey system for now (cdcd7ee6): can we make --disable-eme remove clearkey again? It was changed in Bug 1300654
• Some compile-time flag to disable the Windows PB proxy exe (also part of Tweaks to the build system, f4c94fc4)
• BB 40283: Workaround for the file upload bug (76ca7566): I think it's still needed, but it also depends on some preference we set? See the original analysis in #40283.
• An "official" way to disable RemoteSettings (currently we have BB 31740: Remove some unnecessary RemoteSettings instances, b5d5a565)
• BB 43386: Use Firefox in the UA in RFP-exempt request. (626d276e): would other forks benefit from a way to force compatibility mode without the actual product name?
• Bug 1910912 to replace BB 42835: Create an actor to filter file data transfers (0f34b048). I wonder if we should discuss usability/threat model first (I can't access the Bug)
• BB 42019: Empty browser's clipboard on browser shutdown (24981b16): IIRC we had several complains about the UX, so I don't know if upstream would be interested even with default disabled
• Bug 1752975, to support portable/standalone in Firefox. It's something we have in our threat model, but it's harder and harder to provide it. We have a few issues about this, and a patch for relative profile directory (BB 9173: Change the default Firefox profile directory to be relative., aa3fcbf1)
• TB 11641: Disable remoting by default.: things are changing upstream with the next ESR. We might want to check if we still want this kind of protection (we probably do, for linkability) and see how things have changed upstream to reconcile them with our patch.
• TB 8324: Prevent DNS proxy bypasses caused by Drag&Drop (af1af9f6): we were never been able to reproduce the problem (DNS proxy bypass) with modern system

Patches to assess

Could not reconstruct the original reason to have them or patches that might be replaced or dropped.

• BB 42630: Disable LaterRun module. (5b2be44c)
• BB 41327: Disable UrlbarProviderInterventions (d9394d1e)
• BB 26345: Hide tracking protection UI (dcc729b1): we don't use ETP because we've never audited/compared it with our threat model, maybe something to discuss at a certain point (#30939)
• TB 12647: Support symlinks in the updater. (451f2269): we have an issue about removing it (#34319)
• TB 40073: Disable remote Public Suffix List fetching (84e9763d): will not be needed anymore once we implement changes described in #41831 and #41022 for onion aliases
• TB 21952: Implement Onion-Location (23edd89d): needs complete refactor, in the past we talked also with Brave (related issues: #40100, #42688, #42736
• New identity&Firefox's "fire" button: should we start a conversation to incrementally move our new identity in this new upstream functionality? I don't know if there's a specific Bug for that.
• For Android we need to go through all our patches downstream first, so it's hard to tell what we currently need (except for what I've already written above)

Uplifted Bugs

• Bug 1845105: uplifted into 141 BB 41901: Hardcode normalized FontSubstitutes., 1539bc09
• Bug 1900648 (uplift for BB 42288: Allow language spoofing in status messages., f91b57d5) uplifted into 140

Uplift Bugs

18 Total; 9 Open (50%); 9 Resolved (50%); 0 Verified (0%);

See also