Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#20685 closed task (fixed)

Make sure the first party isolation patches in ESR52 behave as they should

Reported by: gk Owned by: gk
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, TorBrowserTeam201705, GeorgKoppen201705, tbb-7.0-must
Cc: arthuredelstein, boklm, brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We plan to abandon our first party isolation patches and use those in Firefox 52 instead. While the behavior should not change I think we should make sure that this is and will (for the future) be indeed the case. I am not so sure about the best way to achieve this, though. Is it just a matter of running our tbb-tests as soon as we switched to ESR52? Or can and should we do more?

Child Tickets

Change History (20)

comment:1 Changed 2 years ago by gk

Keywords: tbb-7.0-must added

comment:2 Changed 2 years ago by gk

Keywords: TorBrowserTeam201703 added

Getting those tickets on our March radar as well.

comment:3 Changed 2 years ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201703 removed

Moving tickets over to April

comment:4 Changed 2 years ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting this on our radar for alpha release in less than two weeks.

comment:5 Changed 2 years ago by gk

Keywords: GeorgKoppen201704 added

Putting tickets on my plate for the alpha.

comment:6 Changed 2 years ago by arthuredelstein

Is it just a matter of running our tbb-tests as soon as we switched to ESR52? Or can and should we do more?

The old tbb-tests aren't compatible with the new first-party isolation patches, but they were all uplifted and adapted by Jonathan and Tim. So we can be reasonably confident isolation is working. It would be good, however, to run some manual tests to make sure they work as we expect.

comment:7 Changed 2 years ago by gk

Keywords: TorBrowserTeam201705 added; TorBrowserTeam201704 removed

Moving our tickets to May 2017.

comment:8 Changed 2 years ago by gk

Keywords: GeorgKoppen201705 added; GeorgKoppen201704 removed

Moving my tickets to May.

comment:9 Changed 2 years ago by gk

Keywords: tbb-7.0-must added; tbb-7.0-must-alpha removed

We are beyond the alpha testing. Moving tickets for tbb-7.0-must.

comment:10 Changed 2 years ago by gk

Priority: MediumHigh

Raising prio.

comment:11 Changed 2 years ago by gk

Owner: changed from tbb-team to gk
Status: newassigned

comment:12 Changed 2 years ago by gk

Looking at tbb-linkability and doing some testing we have #18703 and #16983 affecting 7.0a4

comment:13 Changed 2 years ago by gk

#18703 is addressed by the patch for #22327 it seems.

comment:14 Changed 2 years ago by gk

Resolution: fixed
Status: assignedclosed

I've been looking at my log output over the last weeks and did not find any additional issues so far that are esr52-only ones and can be reproduced. Thus, we are done here.

comment:15 Changed 2 years ago by gk

(The open issue in comment:12 is noted in #21762 which is specifically for favicon isolation issues.)

comment:16 Changed 2 years ago by cypherpunks

So that every "Save as..." in context menu is going through catch-all circuit is OK for you?

comment:17 Changed 2 years ago by cypherpunks

[05-23 14:38:23] Torbutton INFO: tor SOCKS: https://secure.informaction.com/download/betas/noscript-5.0.4rc3.xpi via
                       --unknown--:0e238a0217adfcd384c6d8f9ccf6bb95

is not so big problem, as it is behind a permission prompt and also ends with

1495550309400	addons.xpi	WARN	Download of https://secure.informaction.com/download/betas/noscript-5.0.4rc3.xpi failed: [Exception... "Certificate issuer is not built-in."  nsresult: "0x80004004 (NS_ERROR_ABORT)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 171"  data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:171 < onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:6547

comment:18 in reply to:  16 Changed 2 years ago by gk

Replying to cypherpunks:

So that every "Save as..." in context menu is going through catch-all circuit is OK for you?

No. That's #22343, thanks.

comment:19 in reply to:  17 ; Changed 2 years ago by gk

Replying to cypherpunks:

[05-23 14:38:23] Torbutton INFO: tor SOCKS: https://secure.informaction.com/download/betas/noscript-5.0.4rc3.xpi via
                       --unknown--:0e238a0217adfcd384c6d8f9ccf6bb95

is not so big problem, as it is behind a permission prompt and also ends with

1495550309400	addons.xpi	WARN	Download of https://secure.informaction.com/download/betas/noscript-5.0.4rc3.xpi failed: [Exception... "Certificate issuer is not built-in."  nsresult: "0x80004004 (NS_ERROR_ABORT)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 171"  data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:171 < onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:6547

Extension updates go over the catch-all circuit, yes. This is okay for now I think.

comment:20 in reply to:  19 Changed 2 years ago by cypherpunks

Replying to gk:

Replying to cypherpunks:

[05-23 14:38:23] Torbutton INFO: tor SOCKS: https://secure.informaction.com/download/betas/noscript-5.0.4rc3.xpi via
                       --unknown--:0e238a0217adfcd384c6d8f9ccf6bb95

is not so big problem, as it is behind a permission prompt and also ends with

1495550309400	addons.xpi	WARN	Download of https://secure.informaction.com/download/betas/noscript-5.0.4rc3.xpi failed: [Exception... "Certificate issuer is not built-in."  nsresult: "0x80004004 (NS_ERROR_ABORT)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 171"  data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:171 < onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:6547

Extension updates go over the catch-all circuit, yes. This is okay for now I think.

Even via direct link ;)
Also we hope that those and other "system" catch-all circuits works via parent process is not a news for you.

Note: See TracTickets for help on using tickets.