Make tor:// urls safe (and enable them by default)
tor:// urls are not safe. It is currently possible to cause Torbutton to recognize any arbitrary content element with tor:// url and ask the user if they want to toggle into tor. There appears to be no way to use the Firefox APIs to determine if such a load was actually due to the url bar. The Protocol handlers that listen for tor:// are actually called before any listeners involving the url bar are called, and accessing the url bar itself appears to return the previous URL, at least in FF 3.x.
By default, Torbutton still asks the user if they want to toggle, but even this question can be used as a timing attack to determine that Torbutton is installed, which violates our security requirements: https://www.torproject.org/torbutton/en/design/#requirements
Credit to discovering this goes to "egypt" of the metasploit team: https://twitter.com/egyp7/status/26023995288
Until either the APIs improve, or we find a side channel inside Firefox that allows us to fix this and observe the URL bar contents and block non-urlbar requests automatically, we need to leave tor:// urls off by default.