[tor-commits] [tor-browser-spec/master] Describe new Firefox patches and update links.
mikeperry at torproject.org
mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014
commit 122128797f57ee3d77dda4e6ebcca0645a079d30
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Fri Dec 16 20:40:26 2011 -0800
Describe new Firefox patches and update links.
---
docs/design/design.xml | 50 +++++++++++++++++++++++++++++++++++++++---------
1 file changed, 41 insertions(+), 9 deletions(-)
diff --git a/docs/design/design.xml b/docs/design/design.xml
index f034fb5..27c8769 100644
--- a/docs/design/design.xml
+++ b/docs/design/design.xml
@@ -727,7 +727,7 @@ supported mime types for all currently installed plugins.
<para>
In addition, to prevent any unproxied activity by plugins at load time, we
also patch the Firefox source code to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0007-Block-all-plugins-except-flash.patch">prevent the load of any plugins except
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0007-Block-all-plugins-except-flash.patch">prevent the load of any plugins except
for Flash and Gnash</ulink>.
</para>
@@ -806,13 +806,13 @@ In addition, three Firefox patches are needed to prevent disk writes, even if
Private Browsing Mode is enabled. We need to
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0002-Make-Permissions-Manager-memory-only.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">prevent
the permissions manager from recording HTTPS STS state</ulink>,
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0003-Make-Intermediate-Cert-Store-memory-only.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">prevent
intermediate SSL certificates from being recorded</ulink>, and
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0008-Make-content-pref-service-memory-only-clearable.patch">prevent
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0008-Make-content-pref-service-memory-only-clearable.patch">prevent
the content preferences service from recording site zoom</ulink>.
For more details on these patches, <link linkend="firefox-patches">see the
@@ -930,7 +930,7 @@ security of the isolation</ulink> and to <ulink
url="https://trac.torproject.org/projects/tor/ticket/3754">solve conflicts
with OCSP relying the cacheKey property for reuse of POST requests</ulink>, we
had to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch">patch
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0005-Add-a-string-based-cacheKey.patch">patch
Firefox to provide a cacheDomain cache attribute</ulink>. We use the fully
qualified url bar domain as input to this field.
@@ -967,7 +967,7 @@ url="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers">ht
observer</ulink> to remove the Authorization headers to prevent <ulink
url="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html">silent
linkability between domains</ulink>. We also needed to <ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch">patch
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch">patch
Firefox to cause the headers to get added early enough</ulink> to allow the
observer to modify it.
@@ -1263,7 +1263,7 @@ Firefox provides several options for controlling the browser user agent string
which we leverage. We also set similar prefs for controlling the
Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
<ulink
-url="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0001-Block-Components.interfaces-lookupMethod-from-conten.patch">remove
+url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0001-Block-Components.interfaces-lookupMethod-from-conten.patch">remove
content script access</ulink> to Components.interfaces, which <ulink
url="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html">can be
used</ulink> to fingerprint OS, platform, and Firefox minor version. </para>
@@ -1464,8 +1464,7 @@ audio and video objects.
<title>Description of Firefox Patches</title>
<para>
The set of patches we have against Firefox can be found in the <ulink
-url="https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.2:/src/current-patches">current-patches
-directory of the torbrowser git repository</ulink>. They are:
+url="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.2:/src/current-patches/firefox">current-patches directory of the torbrowser git repository</ulink>. They are:
</para>
<orderedlist>
<listitem>Block Components.interfaces and Components.lookupMethod
@@ -1566,6 +1565,39 @@ the profile directory as content prefs change (includes site-zoom and perhaps
other site prefs?).
</para>
</listitem>
+ <listitem>Make Tor Browser exit when not launched from Vidalia
+ <para>
+
+It turns out that on Windows 7 and later systems, the Taskbar attempts to
+automatically learn the most frequent apps used by the user, and it recognizes
+Tor Browser as a seperate app from Vidalia. This can cause users to try to
+launch Tor Brower without Vidalia or a Tor instance running. Worse, the Tor
+Browser will automatically find their default Firefox profile, and properly
+connect directly without using Tor. This patch is a simple hack to cause Tor
+Browser to immediately exit in this case.
+
+ </para>
+ </listitem>
+ <listitem>Disable SSL Session ID tracking
+ <para>
+
+This patch is a simple 1-line hack to prevent SSL connections from caching
+(and then later transmitting) their Session IDs. There was no preference to
+govern this behavior, so we had to hack it by altering the SSL new connection
+defaults.
+
+ </para>
+ </listitem>
+ <listitem>Provide an observer event to close persistent connections
+ <para>
+
+This patch creates an observer event in the HTTP connection manager to close
+all keep-alive connections that still happen to be open. This event is emitted
+by the <link linkend="new-identity">New Identity</link> button.
+
+ </para>
+ </listitem>
+
</orderedlist>
</sect2>
More information about the tor-commits
mailing list