Opened 9 months ago

Closed 2 months ago

Last modified 6 weeks ago

#24243 closed defect (fixed)

Tor Browser only render HTML for local pages via file://, no images/CSS

Reported by: anonym Owned by: tbb-team
Priority: Medium Milestone: Tor: unspecified
Component: Applications/Tor Browser Version: Tor: unspecified
Severity: Normal Keywords: AffectsTails
Cc: sajolida Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arma)

In Tor Browser 7.0.10 (and earlier too, see below), if I open a local page via file:// only the HTML is rendered, but images are broken and CSS isn't applied at all. For Tails this breaks several important features, like reading the local copy of the documentation (e.g. when offline) and the start page for our Unsafe Browser.

This breakage started earlier, and it is a bit "interesting":

  • Tor Browser 7.0.7 is the last ok release (both images and CSS loads).
  • Tor Browser 7.0.7 -> 7.0.8 only upgrades Torbutton 1.9.7.8 -> 1.9.7.9 which only updates some translations + fixups on the donation banner. That is somehow enough to break images on local pages (but CSS is still fine). Disabling Torbutton makes the images work again.
  • Tor Browser 7.0.8 -> 7.0.9 only fixes #24052 ("Streamline handling of file:// resources") which breaks both images and CSS. I say "both" despite the previous bullet indicating that Torbutton is responsible for breaking images, because disabling Torbutton no longer fixes image loading in this version. So it indeed seems that the fix for #24052 alone breaks both CSS and images.

Child Tickets

Attachments (1)

local-css-inline-tb.png (11.2 KB) - added by cypherpunks 5 months ago.

Download all attachments as: .zip

Change History (22)

comment:1 Changed 9 months ago by arma

Description: modified (diff)

(fixing a mistyped ticket number)

comment:2 Changed 9 months ago by sajolida

Cc: sajolida added

comment:3 Changed 9 months ago by gk

Which file(s) could/should I use to test and investigate that?

Last edited 9 months ago by gk (previous) (diff)

comment:4 in reply to:  3 Changed 9 months ago by gk

Replying to gk:

Which file(s) could/should I use to test and investigate that?

Right now I am interested in understanding the Torbutton issue. The impact of #24052 is pretty clear to me.

comment:5 Changed 9 months ago by sajolida

I'm also severly affected by that as I work on the Tails website from Tails itself: I build a local copy of the website and test my changes on file:// before pushing them on the production website.

But I have a workaround for now which is to fallback on Firefox ESR for browsing file:// URLs.

I also noticed that the links between pages are broken as well: clicking on them as no effect.

To test this, if you have access to Tails, you can browse the embedded version of our website:

file:///usr/share/doc/tails/website/index.en.html

Otherwise, save your favorite web page locally (Right-click on the page and Save Page As) and open it back with Tor Browser (Ctrl+O and open the page that you saved).

In both cases these pages will appear as raw HTML with no CSS, images, or JS and broken links.

comment:6 Changed 9 months ago by Molly

This is not just a problem in Tails. I'm experiencing the same problem in Debian Stretch and Tor 7.09. Example web app that is unusable from file:// is bip32.github.io. This is a client-side javascript app that should really only be run locally because it exposes bitcoin private keys.

comment:7 Changed 8 months ago by xerix32

Version 7.0.11 on my mac is affected too, I think is very silly problem, is planned to be resolved? Any simple workaround? I'm using scarpbook and it's pretty impossibile to handle file on my disk... :(

comment:8 Changed 5 months ago by sajolida

We fixed the most important regression introduced by this bug in Tails by opening the "Tails documentation" launcher on our desktop on the production website instead of offline when people are connected to Tor. But we're still affected in other ways:

  • The homepage of our Unsafe Browser (used to connect to captive portal) is not translated anymore.
  • We used Yelp to browser our documentation when offline but it's not as good as a real browser.
  • Contributors working from Tails can't use Tor Browser anymore to work on our website (for example, trnaslators).

So yep, we're interested in knowing if this bug is planned to be fixed. Even if there's no real hurry...

comment:9 Changed 5 months ago by cypherpunks

IIRC using inline CSS (i.e. internal style sheet <style>...</style>) works, so why not try that? :)

comment:10 in reply to:  8 Changed 5 months ago by gk

Replying to sajolida:

We fixed the most important regression introduced by this bug in Tails by opening the "Tails documentation" launcher on our desktop on the production website instead of offline when people are connected to Tor. But we're still affected in other ways:

  • The homepage of our Unsafe Browser (used to connect to captive portal) is not translated anymore.
  • We used Yelp to browser our documentation when offline but it's not as good as a real browser.
  • Contributors working from Tails can't use Tor Browser anymore to work on our website (for example, trnaslators).

So yep, we're interested in knowing if this bug is planned to be fixed. Even if there's no real hurry...

Sure, it is planned but we need help from Mozilla with that one because this is a code area that seems to be prone to open up security holes...

comment:11 in reply to:  9 Changed 5 months ago by cypherpunks

Replying to cypherpunks:

IIRC using inline CSS (i.e. internal style sheet <style>...</style>) works, so why not try that? :)

I can confirm this, here's a test .html for that:

<html>
<style>
@keyframes bouncing-loader {
  from {
    opacity: 1;
    transform: translateY(0);
  }
  to {
    opacity: 0.1;
    transform: translateY(-3rem);
  }
}
.bouncing-loader {
  display: flex;
  justify-content: center;
}
.bouncing-loader > div {
  width: 2rem;
  height: 2rem;
  margin: 3rem 0.2rem;
  background: #4185aa;
  border-radius: 50%;
  animation: bouncing-loader 0.2s infinite alternate;
}
.bouncing-loader > div:nth-child(2) {
  animation-delay: 0.2s;
}
.bouncing-loader > div:nth-child(3) {
  animation-delay: 0.4s;
}
.bouncing-loader > div:nth-child(4) {
  animation-delay: 0.6s;
}
.bouncing-loader > div:nth-child(5) {
  animation-delay: 0.8s;
}
.bouncing-loader > div:nth-child(6) {
  animation-delay: 1s;
}
.bouncing-loader > div:nth-child(7) {
  animation-delay: 1.2s;
}
.bouncing-loader > div:nth-child(8) {
  animation-delay: 1.4s;
}
.bouncing-loader > div:nth-child(9) {
  animation-delay: 1.6s;
}
.bouncing-loader > div:nth-child(10) {
  animation-delay: 1.8s;
}
.bouncing-loader > div:nth-child(11) {
  animation-delay: 2s;
}
.bouncing-loader > div:nth-child(12) {
  animation-delay: 2.2s;
}
.bouncing-loader > div:nth-child(7) {
  animation-delay: 1.2s;
}


</style>

<body>
<div class="bouncing-loader">
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
  <div></div>
</div>
</body>
</html>


Changed 5 months ago by cypherpunks

Attachment: local-css-inline-tb.png added

comment:12 Changed 5 months ago by sajolida

Amazing gk! Thanks for the update :)

comment:13 Changed 5 months ago by ilf

Also affected by this (TBB 7.3.5, non-Tails).

Using inline CSS might be a workaround for local files you control (and invest the ressources to change). But there are other use-cases for local files, where this workaround is not feasable.

F.e. a local output of munin, which is now unusable in TBB. :(

comment:14 Changed 2 months ago by gk

Resolution: fixed
Status: newclosed

This should be fixed in Tor Browser 8.0a9.

comment:15 in reply to:  14 Changed 2 months ago by TorUser9999

Replying to gk:

This should be fixed in Tor Browser 8.0a9.

I just installed Tails, and I couldn't load My Ether Wallet JS, using the Tails TOR. It comes with TOR 7.5.5. Tor

comment:16 Changed 2 months ago by TorUser9999

Milestone: Tor: unspecified
Resolution: fixed
Status: closedreopened
Version: Tor: unspecified

comment:17 Changed 2 months ago by gk

Resolution: fixed
Status: reopenedclosed

Yes, which is why I wrote "8.0a9" and not "7.5.5".

Last edited 2 months ago by gk (previous) (diff)

comment:18 Changed 7 weeks ago by intrigeri

I confirm this is fixed with 8.0a9 in Tails :)

comment:19 Changed 6 weeks ago by penington

This is affecting me too, using the version of Tor browser that is currently bundled in the latest release of Tails. When will the patched version of Tor be included with Tails? If it is a long way out, can someone please provide step-by-step directions to getting a proper version of Tor browser up and running in Tails? Thanks.

comment:20 Changed 6 weeks ago by penington

It would be nice if the unsafe browser could be used as a workaround, but the unsafe browser doesn't work at all when the computer is offline. Is that intentional? It seems like a bug to require connectivity to view a local webpage in the unsafe browser.

comment:21 Changed 6 weeks ago by boklm

The first stable release of Tor Browser 8.0 (fixing this bug) is planned for September 5.

Note: See TracTickets for help on using tickets.