Tor Browser 13.0

Tor Browser 13.0 - October 12 2023

* All Platforms
* Updated tor to 0.4.8.7
* Updated OpenSSL to 3.0.11
* Bug 40050: FF103 Audit [tor-browser-spec]
* Bug 40051: FF104 Audit [tor-browser-spec]
* Bug 40052: FF105 Audit [tor-browser-spec]
* Bug 40053: FF106 Audit [tor-browser-spec]
* Bug 40054: FF107 Audit [tor-browser-spec]
* Bug 40055: FF108 Audit [tor-browser-spec]
* Bug 40056: FF109 Audit [tor-browser-spec]
* Bug 40057: FF110 Audit [tor-browser-spec]
* Bug 40058: FF111 Audit [tor-browser-spec]
* Bug 40059: FF112 Audit [tor-browser-spec]
* Bug 40060: FF113 Audit [tor-browser-spec]
* Bug 40061: FF114 Audit [tor-browser-spec]
* Bug 40062: FF115 Audit [tor-browser-spec]
* Bug 26277: When "Safest" setting is enabled searching using duckduckgo should always use the Non-Javascript site for searches [tor-browser]
* Bug 40577: Add "suggest url" in DDG onion's manifest [tor-browser]
* Bug 40938: Migrate remaining torbutton functionality to tor-browser [tor-browser]
* Bug 41092: Enable tracking query parameters stripping [tor-browser]
* Bug 41327: Disable UrlbarProviderInterventions [tor-browser]
* Bug 41399: Update Mozilla's patch for Bug 1675054 to enable brotli encoding for HTTP onions as well [tor-browser]
* Bug 41477: Review some extensions.* preferences [tor-browser]
* Bug 41496: Review 000-tor-browser.js and 001-base-profile.js for 115 [tor-browser]
* Bug 41576: ESR115: ensure no remote calls for weather & addon suggestions [tor-browser]
* Bug 41605: Remove unused assets from torbutton (preferences-mobile.css) [tor-browser]
* Bug 41675: Remove javascript.options.large_arraybuffers [tor-browser]
* Bug 41727: WebRTC privacy-hardening settings [tor-browser]
* Bug 41740: ESR115: change devicePixelRatio spoof to 2 in alpha for testing [tor-browser]
* Bug 41752: Review changes done by Bug 41565 [tor-browser]
* Bug 41796: Rebase Tor Browser to Firefox 115 [tor-browser]
* Bug 41797: Lock RFP in release builds [tor-browser]
* Bug 41934: Websocket raises DOMException on http onions in 13.0a1 [tor-browser]
* Bug 41936: Review Mozilla 1770158: Use double-conversion library instead of dtoa for string-to-double conversion [tor-browser]
* Bug 41937: Review Mozilla 1780014: Add specific telemetry for conservative and first-try handshakes [tor-browser]
* Bug 41938: Review Mozilla 1769994: On systems with IPv6 preferred DNS resolution clients will fail to connect when "localhost" is used as host for the WebSocket server [tor-browser]
* Bug 41939: Review Mozilla 1728871: Support fetching data from Remote Setting [tor-browser]
* Bug 41941: Review Mozilla 1775254: Improve Math.pow accuracy for large exponents [tor-browser]
* Bug 41943: Lock javascript.options.spectre.disable_for_isolated_content to false [tor-browser]
* Bug 41945: Review Mozilla 1783019: Add a cookie banner service to automatically handle website cookie banners [tor-browser]
* Bug 41946: Review Mozilla 1782579: Add a locale parameter to the text recognition API [tor-browser]
* Bug 41947: Review Mozilla 1779005: Broken since Firefox 102.0: no instant fallback to direct connection when proxy became unreachable while runtime [tor-browser]
* Bug 41950: Review Mozilla 1788668: Add the possibility to check that the clipboard contains some pdfjs stuff [tor-browser]
* Bug 41951: Review Mozilla 1790681: Enable separatePrivateDefault by default [tor-browser]
* Bug 41959: Review Mozilla 1795944: Remove descriptionheightworkaround [tor-browser]
* Bug 41960: Review Mozilla 1797896: Proxy environment variables should be upper case / case insensitive [tor-browser]
* Bug 41961: Review Mozilla 1798868: Hide cookie banner handling UI by default [tor-browser]
* Bug 41969: Review Mozilla 1746983: Re-enable pingsender2 [tor-browser]
* Bug 41970: Review Mozilla 17909270: WebRTC bypasses Network settings & proxy.onRequest [tor-browser]
* Bug 41984: Rename languageNotification.ftl to base-browser.ftl [tor-browser]
* Bug 42013: Review Mozilla 1834374: Do not call EmptyClipboard() in nsBaseClipboard destructor [tor-browser]
* Bug 42014: Review Mozilla 1832791: Implement a Remote Settings for the Quarantined Domains pref [tor-browser]
* Bug 42015: Review Mozilla 1830890: Keep a history window of WebRTC stats for about:webrtc [tor-browser]
* Bug 42019: Empty browser's clipboard on browser shutdown [tor-browser]
* Bug 42026: Disable cookie banner service and UI. [tor-browser]
* Bug 42029: Defense-in-depth: disable non-proxied UDP WebRTC [tor-browser]
* Bug 42034: aboutTBUpdate.dtd is duplicated [tor-browser]
* Bug 42043: Disable gUM: media.devices.enumerate.legacy.enabled [tor-browser]
* Bug 42061: Move the alpha update channel creation to a commit on its own [tor-browser]
* Bug 42084: Race condition with language preferences may make spoof_english ineffective [tor-browser]
* Bug 42085: NEWNYM signal missing on Whonix [tor-browser]
* Bug 42094: Disable `media.aboutwebrtc.hist.enabled` as security in-depth [tor-browser]
* Bug 42120: Use foursquare as domain front for snowflake [tor-browser]
* Bug 40887: Update Webtunnel version to 38eb5505 [tor-browser-build]
* Windows + macOS + Linux
* Updated Firefox to 115.3.1esr
* Bug 30556: Re-evaluate letterboxing dimension choices [tor-browser]
* Bug 32328: Improve error recovery from the red screen of death [tor-browser]
* Bug 33282: Increase the max width of new windows [tor-browser]
* Bug 33955: Selecting "Copy image" from menu leaks the source URL to the clipboard. This data is often dereferenced by other applications. [tor-browser]
* Bug 40175: Connections in reader mode are not FPI [tor-browser]
* Bug 40982: Cleanup maps in tor-circuit-display [tor-browser]
* Bug 40983: Move not UI-related torbutton.js code to modules [tor-browser]
* Bug 41165: Crash with debug assertions enabled [tor-browser]
* Bug 41333: Modernize Tor Browser's new-tab page (about:tor) [tor-browser]
* Bug 41423: about:tor semantic and accessibility problems [tor-browser]
* Bug 41528: Hard-coded English "based on Mozilla Firefox" appears in version in "About" dialog [tor-browser]
* Bug 41581: ESR115: figure out extension pinning / unified Extensions [tor-browser]
* Bug 41639: Fix the wordmark (title and background) of the "About Tor Browser" window [tor-browser]
* Bug 41642: Do not hide new PBM in the hamburger menu if auto PBM is not enabled [tor-browser]
* Bug 41651: Use moz-toggle in connection preferences [tor-browser]
* Bug 41691: "Firefox Suggest" text appearing in UI [tor-browser]
* Bug 41717: Bookmark toolbar visibility on new tabs is not honored when new tab page is not about:blank [tor-browser]
* Bug 41739: Remove "Website appearance" [tor-browser]
* Bug 41741: Refactor the domain isolator and new circuit [tor-browser]
* Bug 41765: TTP-02-006 WP1: Information leaks via custom homepage (Low) [tor-browser]
* Bug 41766: TTP-02-001 WP1: XSS in TorConnect's captive portal (Info) [tor-browser]
* Bug 41771: Decide what to do for firefoxview [tor-browser]
* Bug 41774: Hide the new "Switching to a new device" help menu item [tor-browser]
* Bug 41791: Copying page contents also puts the source URL on the clipboard [tor-browser]
* Bug 41812: Review layout for XUL elements [tor-browser]
* Bug 41813: Look out for links missing underlines in ESR 115-based alphas [tor-browser]
* Bug 41821: Fix the proxy type in the proxy modal of aboutreferences in 13.0 [tor-browser]
* Bug 41822: The default browser button came back on 115 [tor-browser]
* Bug 41833: Reload extensions on new identity [tor-browser]
* Bug 41834: Hide "Can't Be Removed - learn more" menu line for uninstallable add-ons [tor-browser]
* Bug 41842: Remove the old removal logics from Torbutton [tor-browser]
* Bug 41844: Stop using the control port directly [tor-browser]
* Bug 41845: Stop forcing (bad) pref values for non-PBM users [tor-browser]
* Bug 41852: Review the Tor Check Service UX [tor-browser]
* Bug 41864: TOR_CONTROL_HOST and TOR_SOCKS_HOST do not work as expected when the browser launches tor [tor-browser]
* Bug 41865: Use --text-color-deemphasized rather than --panel-description-color [tor-browser]
* Bug 41874: Visual & A11 regressions in add-on badges [tor-browser]
* Bug 41876: Remove Firefox View from title bar [tor-browser]
* Bug 41877: NoScript seems to be blocking by default in the first 115-based testbuild [tor-browser]
* Bug 41881: Developer tools/Network/New Request remembers requests [tor-browser]
* Bug 41886: Downloads drop-down panel has new-line/line-break between every word in the 'Be careful opening downloads' warning [tor-browser]
* Bug 41904: The log textarea doesn't resize anymore [tor-browser]
* Bug 41906: Hide aboutreferences#privacy > DNS over HTTPS section [tor-browser]
* Bug 41907: The bootstrap is interrupted without any errors if the process becomes ready when already bootstrapping [tor-browser]
* Bug 41912: "Use Current Bridges" is shown for users even when there aren't any current bridges [tor-browser]
* Bug 41922: Unify the bridge line parsers [tor-browser]
* Bug 41923: The path normalization results in warnings [tor-browser]
* Bug 41924: Small refactors for TorProcess [tor-browser]
* Bug 41925: Remove the torbutton startup observer [tor-browser]
* Bug 41926: Refactor the control port client implementation [tor-browser]
* Bug 41931: Regression: new window leaks outer window [tor-browser]
* Bug 41935: Improve new window & letterboxing dimensions [tor-browser]
* Bug 41940: Review Mozilla 1739348: When a filetype is set to "always ask" and the user makes a save/open choice in the dialog, we should not also open the downloads panel [tor-browser]
* Bug 41949: Review Mozilla 1782578: Implement a context menu modal for text recognition [tor-browser]
* Bug 41954: Inputs in the request a bridge dialog are cut-off in 13.0 alpha [tor-browser]
* Bug 41957: Revert to Fx's default identity block style for internal pages [tor-browser]
* Bug 41958: Console error when closing tor browser with aboutreferences open [tor-browser]
* Bug 41964: `emojiAnnotations` not defined in time in connection preferences [tor-browser]
* Bug 41965: TorConnect error when opening browser tools [tor-browser]
* Bug 41971: Update Tails URL in downloads warning [tor-browser]
* Bug 41973: Custom wingpanels don't line up with their toolbar icons in 13.0 alpha [tor-browser]
* Bug 41974: De-emphasized text in custom components is no longer gray in 13.0 alpha [tor-browser]
* Bug 41975: Downloads warning text too narrow in 13.0 alpha [tor-browser]
* Bug 41976: Bottom padding on collapsed bridge cards has increased in 13.0 alpha [tor-browser]
* Bug 41977: Hide the "Learn more" link in bridge cards [tor-browser]
* Bug 41980: Circuit display headline is misaligned in 13.0 alpha [tor-browser]
* Bug 41981: Review Mozilla 1800675: Add aboutreferences entry for cookie banner handling [tor-browser]
* Bug 41983: Review Mozilla 1770447: Create a reusable "support-link" widget [tor-browser]
* Bug 41986: Fix the control port password handling [tor-browser]
* Bug 41994: CSS (and other assets) of some websites blocked in 13.0 alpha [tor-browser]
* Bug 42022: Prevent extension search engines from breaking the whole search system [tor-browser]
* Bug 42027: Create a Base Browser version of migrateUI [tor-browser]
* Bug 42037: Disable about:firefoxview [tor-browser]
* Bug 42041: TBB --allow-remote mixes up with plain Firefox [tor-browser]
* Bug 42045: Circuit panel overflows with long ipv6 addresses [tor-browser]
* Bug 42046: Remove XUL layout hacks from base browser [tor-browser]
* Bug 42047: Remove layout hacks from tor browser preferences [tor-browser]
* Bug 42050: Bring back Save As... dialog as default [tor-browser]
* Bug 42073: Add simplified onion pattern to the new homepage [tor-browser]
* Bug 42075: Fix link spacing and underline on new homepage [tor-browser]
* Bug 42079: TorConnect: handle switching from Bootstrapped to Configuring state [tor-browser]
* Bug 42083: RemoteSecuritySettings.init throws error in console [tor-browser]
* Bug 42091: Onion authorization prompt overflows [tor-browser]
* Bug 42092: Onion services key table display problems. [tor-browser]
* Bug 42098: Implement Windows installer icons [tor-browser]
* Bug 42100: Connect Assist dropdown text not centered [tor-browser]
* Bug 42102: TorProcess says the SOCKS port is not valid even though it is [tor-browser]
* Bug 42109: Onion services keys table has empty column headers. [tor-browser]
* Bug 42110: Add a utility module for shared UI methods needed for several tor browser components [tor-browser]
* Bug 42126: moat and connect assist broken for people who can't reach domain front [tor-browser]
* Bug 42129: Disable the Tor restart prompt if shouldStartAndOwnTor is false [tor-browser]
* Bug 42131: Tor Browser 13.0a5 does not track circuits created before Tor Browser started [tor-browser]
* Bug 42132: The new control port handling in Tor Browser 13 breaks a Tails security feature [tor-browser]
* Bug 42138: Disable apz.overscroll.enabled pref [tor-browser]
* Bug 42155: Drop the unused code for the old bridge removal warning [tor-browser]
* Bug 42159: Responsive Design Mode not working correctly [tor-browser]
* Bug 42160: Allow specifying a TOR_PROVIDER=none to configure only the proxy settings during the TorProviderBuilder initialization [tor-browser]
* Bug 42166: New identity dialog missing accessible name [tor-browser]
* Bug 42167: Make the preference auto-focus more reliable [tor-browser]
* Bug 40821: The update details URL is wrong in alphas [tor-browser-build]
* Bug 40893: Update (Noto) fonts for 13.0 [tor-browser-build]
* Bug 40924: Customize MOZ_APP_REMOTINGNAME instead of passing --name and --class [tor-browser-build]
* Bug 40938: Copy the new tor-browser.ftl file to the appropriate directory [tor-browser-build]
* Windows + Android
* Bug 40930: Upate zlib to 1.3 after 13.0a3 [tor-browser-build]
* Windows
* Bug 40737: Revert backout of Mozilla's fix for bug 1724777 [tor-browser]
* Bug 41658: Create new installer icons for Windows [tor-browser]
* Bug 41798: Stop building private_browsing.exe on Windows [tor-browser]
* Bug 41806: Prevent Private Browsing start menu item to be added automatically [tor-browser]
* Bug 41942: Review Mozilla 1682520: Use the WER runtime exception module to catch early crashes [tor-browser]
* Bug 41944: Review Mozilla 1774083: Add Surrogate COM Server to handle native Windows notifications when Firefox is closed. [tor-browser]
* Bug 42008: Review Mozilla 1808146: Copying images from Pixiv and pasting them in certain programs is broken [tor-browser]
* Bug 42010: Review Mozilla 1810641: Enable overscroll on Windows on all channels [tor-browser]
* Bug 42087: Implement Windows application icons [tor-browser]
* Bug 40954: Implement Windows installer icons [tor-browser-build]
* macOS
* Bug 41948: Review Mozilla 1782981: Hide the text recognition context menu if the macOS version doesn't support APIs [tor-browser]
* Bug 41955: Update macOS volume window background [tor-browser]
* Bug 41982: Review Mozilla 1762392: Add Cocoa platform support for paste files [tor-browser]
* Bug 42057: Disable Platform text-recognition functionality [tor-browser]
* Bug 42078: Implement MacOS application icons [tor-browser]
* Bug 42147: Add browser.helperApps.deleteTempFileOnExit to our profile [tor-browser]
* Linux
* Bug 41509: After update, KDE Plasma identifies Tor Browser Nightly window group as "firefox-nightly" [tor-browser]
* Bug 41884: Linux: set browser.tabs.searchclipboardfor.middleclick to false [tor-browser]
* Bug 42088: Implement Linux application icons [tor-browser]
* Bug 40576: Fontconfig warning: remove 'blank' configuration [tor-browser-build]
* Android
* Updated GeckoView to 115.3.1esr
* Bug 41878: firefox-mobile: refactor tor bootstrap off deleted onboarding path [tor-browser]
* Bug 41882: Update DuckDuckGo icons [tor-browser]
* Bug 41911: Firefox-Android tor bootstrap connect button css broken [tor-browser]
* Bug 41928: Backport Android-specific security fixes from Firefox 116 to ESR 102.14 / 115.1 - based Tor Browser [tor-browser]
* Bug 41972: Disable Firefox onboarding in 13.0 [tor-browser]
* Bug 41990: Review Mozilla 1811531: Add 'site' query parameter to Pocket sponsored stories request [tor-browser]
* Bug 41991: Review Mozilla 1812518: Allow a custom View for 3rd party downloads [tor-browser]
* Bug 41993: Review Mozilla 1810761: Add API for saving a PDF [tor-browser]
* Bug 41996: App includes com.google.android.gms.permission.AD_ID permission [tor-browser]
* Bug 41997: com.adjust.sdk.Adjust library enables AD_ID permission even though we aren't using it [tor-browser]
* Bug 41999: TB13.0a2 android: center text on connect button [tor-browser]
* Bug 42001: Hide 'Open links in external app' settings option and force defaults [tor-browser]
* Bug 42002: Review Mozilla 1809305: Allow user to copy an image to the clipboard [tor-browser]
* Bug 42003: Review Mozilla 1819431: Reimplement default browser notification with Nimbus Messaging equivalent [tor-browser]
* Bug 42004: Review Mozilla 1818015: Use a custom tab or the view we use for Sync onboarding for the Privacy button [tor-browser]
* Bug 42005: Review Mozilla 1816932: Add Maps to app links common sub domains [tor-browser]
* Bug 42006: Review Mozilla 1817726: Allow sharing current tab URL from Android's Recents (App Overview) screen. [tor-browser]
* Bug 42007: Review Mozilla 1805450: Allow users to submit site support requests in Fenix [tor-browser]
* Bug 42012: Review Mozilla 1810629: add an Android shortcut to go straight to the login and passwords page [tor-browser]
* Bug 42016: Review Mozilla 1832069: Implement Google Play Referrer Library to fetch referrer URL [tor-browser]
* Bug 42018: Rebase Firefox for Android to 115.2.1 [tor-browser]
* Bug 42023: Remove FF what's new from Android [tor-browser]
* Bug 42038: TBA Alpha - inscriptions Tor Browser Alpha and FireFox Browser simultaneously on the start screen [tor-browser]
* Bug 42074: YEC 2023 Takeover for Android Stable [tor-browser]
* Bug 42076: Theme is visible in options, but shouldn't be [tor-browser]
* Bug 42089: Disable the Cookie Banner Reduction site support requests (Mozilla 1805450) [tor-browser]
* Bug 42114: Disable Allow sharing current tab URL from Android's Recents screen in private browsing mode [tor-browser]
* Bug 42115: Enhanced Tracking Protection can still be enabled [tor-browser]
* Bug 42122: playstore console crashes: java.lang.NoSuchMethodError [tor-browser]
* Bug 42133: Remove "Total Cookie Protection" popup [tor-browser]
* Bug 42134: Remove Android icon shortcuts [tor-browser]
* Bug 42156: Screenshot allowing still blocks homescreen (android) [tor-browser]
* Bug 42157: Fix Help button URL [tor-browser]
* Bug 42165: Remove "Add to shortcuts" and "Remove from shortcuts" buttons [tor-browser]
* Bug 42158: Remove "Customize Homepage" button [tor-browser]
* Bug 40740: Tor Browser for Android's snowflake ClientTransportPlugin seems to be out of date [tor-browser-build]
* Bug 40919: Fix nimbus-fml reproducibility of 13.0a2-build1 [tor-browser-build]
* Bug 40941: Remove PT process options on Android [tor-browser-build]
* Build System
* All Platforms
* Updated Go to 1.21.1
* Bug 42130: Add support for specifying the branch in `tb-dev rebase-on-default` [tor-browser]
* Bug 31588: Be smarter about vendoring for Rust projects [tor-browser-build]
* Bug 40089: Clean up usage of get-moz-build-date script [tor-browser-build]
* Bug 40410: Get rid of python2 [tor-browser-build]
* Bug 40487: Bump Python version [tor-browser-build]
* Bug 40741: Update browser and tor-android-service projects to pull data from pt_config.json [tor-browser-build]
* Bug 40802: Drop the patch for making WASI reproducible [tor-browser-build]
* Bug 40829: Review and standardize naming scheme for browser installer/package artifacts [tor-browser-build]
* Bug 40854: Update to OpenSSL 3.0 [tor-browser-build]
* Bug 40855: Update toolchains for Mozilla 115 [tor-browser-build]
* Bug 40868: Bump Rust to 1.69.0 [tor-browser-build]
* Bug 40880: The README doesn't include some dependencies needed for building incrementals [tor-browser-build]
* Bug 40886: Update README with instructions for Arch linux [tor-browser-build]
* Bug 40898: Add doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templates [tor-browser-build]
* Bug 40908: Enable the --enable-gpl config flag in tor to bring in PoW functionality [tor-browser-build]
* Bug 40929: Update go to 1.21 series after 13.0a3 [tor-browser-build]
* Bug 40932: Remove appname_bundle_android, appname_bundle_macos, appname_bundle_linux, appname_bundle_win32, appname_bundle_win64 from projects/release/update_responses_config.yml [tor-browser-build]
* Bug 40935: Fix fallout from build target rename in signing scripts [tor-browser-build]
* Bug 40948: Remove lyrebird-vendor sha256sum in nightly [tor-browser-build]
* Bug 40957: Expired subkey warning on Tor Browser GPG verification [tor-browser-build]
* Bug 40972: Handle Mullvad Browser in the changelog script and group entries by project [tor-browser-build]
* Windows + macOS + Linux
* Bug 41967: Add a Makefile recipe to create multi-lingual dev builds [tor-browser]
* Bug 40149: Remove patching of nightly update URL [tor-browser-build]
* Bug 40615: Consider adding a readme to the fonts directory [tor-browser-build]
* Bug 40907: Sometimes debug information are not deterministic with Clang 16.0.4 [tor-browser-build]
* Bug 40922: Use base-browser.ftl instead of languageNotification.ftl [tor-browser-build]
* Bug 40931: Fix incrementals after tor-browser-build#40829 [tor-browser-build]
* Bug 40933: Fix generating incrementals between 12.5.x and 13.0 [tor-browser-build]
* Bug 40942: Use the branch to build Base Browser [tor-browser-build]
* Bug 40944: After #40931, updates_responses is using incremental.mar files as if they were non-incremental mar files [tor-browser-build]
* Bug 40947: Remove migrate_langs from tools/signing/nightly/update-responses-base-config.yml [tor-browser-build]
* Bug 40956: Allow testing the updater also with release and alpha channel [tor-browser-build]
* Windows
* Bug 41995: Generated headers on Windows aren't reproducible [tor-browser]
* Bug 40832: Unify mingw-w64-clang 32+64 bits [tor-browser-build]
* Bug 40940: Change position of the `install|portable` in the builds filenames [tor-browser-build]
* macOS
* Bug 42035: Update tools/torbrowser/ scripts to support macOS dev environment [tor-browser]
* Bug 40943: Update libdmg-hfsplus to include our uplifted patch [tor-browser-build]
* Bug 40951: Firefox fails to build for macOS after tor-browser-build#40938 [tor-browser-build]
* Linux
* Bug 42071: tor-browser deployed format changed breaking fetch.sh [tor-browser]
* Bug 40102: Move from Debian Jessie to Debian Stretch for our Linux builds [tor-browser-build]
* Bug 40971: Stop shipping Linux i686 debug archive until we actually produce the symbols [tor-browser-build]
* Android
* Bug 41899: Use LLD for Android [tor-browser]
* Bug 40867: Create a RBM project for the unified Android repository [tor-browser-build]
* Bug 40917: Remove the uniffi-rs project [tor-browser-build]
* Bug 40918: The commit hash is still not displayed about:buildconfig on Android [tor-browser-build]
* Bug 40920: Non-deterministic generation of baseline.profm file in Android apks [tor-browser-build]
* Bug 40963: Tor Browesr 13.0 torbrowser-testbuild-android* targets fail to build [tor-browser-build]
* Bug 40974: firefox-android fails to build in release [tor-browser-build]

Tor Browser 12.5.6 - September 29 2023

* All Platforms
* Bug 42135: Backport security fixes from Firefox 115.3.1 to 102.15.1 [tor-browser]
* Build System
* All Platforms
* Bug 40957: Update subkey expiration date for Tor Browser gpg key [tor-browser-build]

Tor Browser 12.5.5 - September 25 2023

* All Platforms
* Updated tor to 0.4.7.15
* Updated NoScript to 11.4.27
* Updated Translations
* Bug 42120: Use foursquare as domain front for snowflake [tor-browser]
* Bug 42123: Backport security fixes from Firefox 118 to ESR 102.15 / 115.3 - based Tor Browser [tor-browser]
* Windows + macOS + Linux
* Bug 42126: moat and connect assist broken for people who can't reach domain front [tor-browser]

Tor Browser 12.5.4 - September 12 2023

• All Platforms
  • Updated Translations
  • Updated OpenSSL to 1.1.1w
  • Bug 42084: Race condition with language preferences may make spoof_english ineffective [tor-browser]
  • Bug 42090: Rebase release onto 102.15.1esr [tor-browser]
• Windows + macOS + Linux
  • Updated Firefox to 102.15.1esr
• Android
  • Updated GeckoView to 102.15.1esr
• Build System
  • All Platforms
    • Updated Go to 1.20.8

Tor Browser 12.5.3 - August 28 2023

* All Platforms
* Updated Translations
* Updated OpenSSL to 1.1.1v
* Bug 42033: Rebase the releases onto 102.15.0esr [tor-browser]
* Bug 42053: Backport security fixes from Firefox 117 to ESR 102.15 - based Tor Browser [tor-browser]
* Windows + macOS + Linux
* Updated Firefox to 102.15.0esr
* Android
* Updated GeckoView to 102.15.0esr
* Build System
* All Platforms
* Updated Go to 1.20.7
* Bug 40740: Tor Browser for Android's snowflake ClientTransportPlugin seems to be out of date [tor-browser-build]
* Bug 40786: deploy_update_responses-*.sh requires +r permissions to run [tor-browser-build]
* Bug 40905: Go vendor archives ignore the nightly version override on testbuilds [tor-browser-build]
* Bug 40913: add boklm back to list of taggers in relevant projects [tor-browser-build]
* Bug 40921: staticiforme-prepare-cdn-dist-upload uses hardcoded torbrowser path for .htacess file generation [tor-browser-build]

Full changelog​

The full changelog since Tor Browser 12.5.1 is:

• All Platforms
  • Updated Translations
  • Updated NoScript to 11.4.26
  • Bug tor-browser#41908: Rebase stable 12.5 to 102.14esr
• Windows + macOS + Linux
  • Updated Firefox to 102.14.0esr
• Windows
  • Bug tor-browser#41761: xul.dll win crash tor-browser 12.5.1 (based on Mozilla Firefox 102.13.0esr) (64-Bit)
• Android
  • Updated GeckoView to 102.14.0esr
  • Bug tor-browser#41928: Backport Android-specific security fixes from Firefox 116 to ESR 102.14 / 115.1 - based Tor Browser
• Build System
  • All Platforms
    • Updated Go to 1.20.6
    • Bug tor-browser-build#40889: Add mullvad sha256sums URL to tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo
    • Bug tor-browser-build#40894: Fix format of keyring/boklm.gpg
    • Bug tor-browser-build#40909: Add dan_b and ma1 to list of taggers in relevant projects
  • Windows
    • Bug tor-browser-build#31546: Create and expose PDB files for Tor Browser debugging on Windows

The full changelog since Tor Browser 12.5 is:

• All Platforms
  • Updated Translations
  • Updated NoScript to 11.4.24
  • Bug tor-browser#41860: Rebase 12.5 stable to 102.13esr
• Windows + macOS + Linux
  • Updated Firefox to 102.13.0esr
  • Bug tor-browser#41854: Download Spam Protection cannot be overridden to allow legitimate downloads
  • Bug tor-browser#41856: Onion service authorization prompt's key field does not get focus when clicked
  • Bug tor-browser#41858: 'Learn more' link in onboarding links to 12.0 release notes and not 12.5
• Android
  • Updated GeckoView to 102.13.0esr

The full changelog since Tor Browser 12.0.7 is:

• All Platforms
  • Updated Translations
  • Bug tor-browser-build#40353: Re-enable rlbox
  • Bug tor-browser-build#40810: Add Finnish (fi) language support
  • Bug tor-browser#41066: Circuit Isolation should take containers into account
  • Bug tor-browser#41428: Check if we can create our own directories for branding
  • Bug tor-browser#41514: eslint broken since migrating torbutton
  • Bug tor-browser#41568: Disable LaterRun
  • Bug tor-browser#41599: about:networking#networkid should be normalized
  • Bug tor-browser#41624: Disable unused about: pages
  • Bug tor-browser#41635: Disable the Normandy component at compile time
  • Bug tor-browser#41636: Disable back webextension.storage.sync after ensuring NoScript settings won't be lost
  • Bug tor-browser#41647: Turn --enable-base-browser in --with-base-browser-version
  • Bug tor-browser#41662: Disable about:sync-logs
  • Bug tor-browser#41671: Turn media.peerconnection.ice.relay_only to true as defense in depth against WebRTC ICE leaks
  • Bug tor-browser#41689: Remove startup.homepage_override_url from Base Browser
  • Bug tor-browser#41704: Immediately return on remoteSettings.pollChanges
  • Bug tor-browser#41738: Replace the patch to disable live reload with its preference
  • Bug tor-browser#41763: TTP-02-003 WP1: Data URI allows JS execution despite safest security level (Low)
  • Bug tor-browser#41775: Avoid re-defining some macros in nsUpdateDriver.cpp
  • Bug tor-browser#41818: Remove YEC 2022 strings
• Windows + macOS + Linux
  • Bug mullvad-browser#165: Fix maximization warning x button and preference
  • Bug tor-browser#20497: Improve support for non-portable mode
  • Bug tor-browser#33298: HTTP onion sites do not give a popup warning when submitting form data to non-onion HTTP sites
  • Bug tor-browser#40144: aboutrivatebrowsing Firefox branding
  • Bug tor-browser#40347: URL bar lock icon says connection is not secure when on "view-source:.onion" URLs [tor-browser]
  • Bug tor-browser#40552: New texts for the add a bridge manually modal
  • Bug tor-browser#40701: Improve security warning when downloading a file
  • Bug tor-browser-build#40711: Review and expand the stakeholders we communicate major changes to
  • Bug tor-browser-build#40733: Use the new branding directories
  • Bug tor-browser-build#40745: Allow customizing MOZ_APP_BASENAME
  • Bug tor-browser-build#40773: Copy some documentation files only on Tor Browser
  • Bug tor-browser-build#40781: Move translations to new paths
  • Bug tor-browser#40788: Tor Browser 11.0.4-11.0.6 phoning home
  • Bug tor-browser-build#40808: Set update URL for nightly base-browser
  • Bug tor-browser-build#40811: Make testing the updater easier
  • Bug tor-browser-build#40817: Add basebrowser-incrementals-nightly makefile target
  • Bug tor-browser-build#40833: base-browser nightly is using the default channel instead of nightly
  • Bug tor-browser#40958: The number of relays displayed for an onion site can be misleading
  • Bug tor-browser#41038: Update "Click to Copy" button label in circuit display
  • Bug tor-browser#41080: Some users are choosing an adjacent country for circumvention settings
  • Bug tor-browser#41084: Reserve red as a button color for dangerous actions
  • Bug tor-browser#41085: Refactor the UI to remove all bridges
  • Bug tor-browser#41093: Users don't understand the purpose of bridge-moji
  • Bug tor-browser#41109: "New circuit..." button gets cut-off when onion name wraps
  • Bug tor-browser#41350: Move the implementation of Bug 19273 out of Torbutton
  • Bug tor-browser#41351: Move the crypto protection patch earlier in the patchset
  • Bug tor-browser#41363: Crypto warning popup is not screen reader accessible
  • Bug tor-browser#41448: User 'danger' style for primary button in new identity modal
  • Bug tor-browser#41483: Tor Browser says Firefox timed out, confusing users
  • Bug tor-browser#41503: Disable restart in case of reboot and restore in case of crash
  • Bug tor-browser#41521: Improve localization notes
  • Bug tor-browser#41533: Page Info window for view-source:http://...onion addresses says Connection Not Encrypted
  • Bug tor-browser#41540: Confusing build-id date in aboutreferences in alphas
  • Bug tor-browser#41562: API-triggered fullscreen after F11 causes letterboxing to crop the page
  • Bug tor-browser#41577: Disable profile migration
  • Bug tor-browser#41587: Disable the updater for Base Browser
  • Bug tor-browser#41595: Disable pagethumbnails capturing
  • Bug tor-browser#41600: Some users have difficulty finding the circuit display
  • Bug tor-browser#41607: Update "New Circuit" icon
  • Bug tor-browser#41608: Improve the UX of the location bar's connection status
  • Bug tor-browser#41609: Move the disabling of Firefox Home (Activity Stream) to base-browser
  • Bug tor-browser#41613: Skip Drang & Drop filtering for DNS-safe URLs (no hostname, e.g. RFC3966 tel
  • Bug tor-browser#41617: Improve the UX of the built-in bridges dialog
  • Bug tor-browser#41618: Update the iconography used in the status strip in connection settings
  • Bug tor-browser#41623: Update connection assist's iconography
  • Bug tor-browser#41633: Updating from 12.0.2 to 12.0.3 resets NoScript settings
  • Bug tor-browser#41657: Remove --enable-tor-browser-data-outside-app-dir
  • Bug tor-browser#41668: Move part of the updater patches to base browser
  • Bug tor-browser#41686: Move the 'Bug 11641: Disable remoting by default' commit from base-browser to tor-browser
  • Bug tor-browser#41695: Port warning on maximized windows without letterboxing from torbutton
  • Bug tor-browser#41699: Tighten up the tor onion alias regular expression
  • Bug tor-browser#41701: Reporting an extension does not work
  • Bug tor-browser#41702: The connection pill needs to be centered vertically
  • Bug tor-browser#41709: sendCommand should not try to send a command forever
  • Bug tor-browser#41711: Race condition when opening a new window in New Identity
  • Bug tor-browser#41718: Add the external filetype warning to about:downloads
  • Bug tor-browser#41719: Update title and button strings in the new circuit display to sentence case
  • Bug tor-browser#41725: Stray connectionPane.xhtml patch
  • Bug tor-browser#41726: Animate the torconnect icon to transition between connected states
  • Bug tor-browser#41734: Add a 'Connected' flag to indicate which built-in bridge option Tor Browser is currently using
  • Bug tor-browser#41736: Customize the default CustomizableUI toolbar using CustomizableUI.jsm
  • Bug tor-browser#41749: Replace the onion-glyph with dedicated icon for onion services
  • Bug tor-browser#41770: Keyboard navigation broken leaving the toolbar tor circuit button
  • Bug tor-browser#41775: Avoid re-defining some macros in nsUpdateDriver.cpp
  • Bug tor-browser#41785: Network monitor in developer tools shows HTTP onion resources as insecure
  • Bug tor-browser#41792: Drag and Drop protection prevents dragging downloads
  • Bug tor-browser#41800: Add the external filetype warning to Library / Manage Bookmarks
  • Bug tor-browser#41801: Fix handleProcessReady in TorSettings.init
  • Bug tor-browser#41802: Bad regex used to extract transport from bridgeline
  • Bug tor-browser#41810: Add "Connect" buttons to Request Bridge and Provide Bridge modals
  • Bug tor-browser#41816: The top navigation in about:torconnect isn't updated correctly
  • Bug tor-browser#41841: Use the new onion-site.svg icon in the onion-location pill
• Windows + Linux
  • Bug tor-browser-build#40714: Ship NoScript in the distribution directory also for Windows and Linux
  • Bug tor-browser#41654: UpdateInfo jumped into Data
• Windows
  • Bug tor-browser-build#40772: Check and fix HiDPI issues in the NSIS installer
  • Bug tor-browser-build#40793: Add some metadata also to the Windows installer
  • Bug tor-browser-build#40801: Correct the ExecShell for system-wide installs in the NSIS script
  • Bug tor-browser#41459: WebRTC fails to build under mingw
  • Bug tor-browser#41678: WebRTC build fix patches incorrectly defining pid_t
• macOS
  • Bug tor-browser-build#40719: Allow non-universal macOS builds also on base-browser
  • Bug tor-browser#41535: Remove the old, unused and undocumented "-invisible" macOS CLI flag
• Linux
  • Bug tor-browser-build#40830: The fontconfig directory is missing in Base Browser
  • Bug tor-browser-build#40860: Improve the transition from the old fontconfig file to the new one
  • Bug tor-browser#41163: Many bundled fonts are blocked in Ubuntu/Fedora because of RFP
  • Bug tor-browser#41732: implement linux font whitelist as defense-in-depth
• Android
  • Bug tor-browser#41001: Remove remaining security slider code
  • Bug tor-browser#41185: Hide learn more about sync
  • Bug tor-browser#41634: Google Play incorrectly detects that libTor.so is built with OpenSSL 1.1.1b
  • Bug tor-browser#41667: Enable media.peerconnection.ice.obfuscate_host_addresses on Android for defense-in-depth
  • Bug tor-browser#41677: Remove the --disable-tor-browser-update flag on Android
• Build System
  • All Platforms
    • Updated Go to 1.20.5
    • Bug tor-browser-build#40673: Avoid building each go module separately
    • Bug tor-browser-build#40679: Use the latest translations for nightly builds
    • Bug tor-browser-build#40689: Update Ubuntu version from projects/mmdebstrap-image/config to 22.04.1
    • Bug tor-browser-build#40717: Create a script to prepare changelogs
    • Bug tor-browser-build#40720: Update fetch-changelogs.py scripts to support new Build System label
    • Bug tor-browser-build#40750: Find why rlbox hurts reproducibility
    • Bug tor-browser-build#40751: make signtag-* needs to take project name into account
    • Bug tor-browser-build#40753: We should not copy mar tools when the updater is disabled
    • Bug tor-browser-build#40760: Add BSD packager contacts to release prep templates
    • Bug tor-browser-build#40763: Add support for signing multiple browsers in tools/signing/nightly
    • Bug tor-browser-build#40783: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo to use $projectname prefix directory
    • Bug tor-browser-build#40784: Fix var_p/nightly_torbrowser_incremental_from after #40737
    • Bug tor-browser-build#40794: Include the build-id in firefox-l10n output name
    • Bug tor-browser-build#40795: Trim down tor-browser-build release prep issue templates
    • Bug tor-browser-build#40796: Bad UX for the changelogs script when using the issue number
    • Bug tor-browser-build#40805: Define the version flag for all browsers
    • Bug tor-browser-build#40807: Add config for signing base-browser nightly in tools/signing/nightly
    • Bug tor-browser-build#40812: Make var/rezip in projects/firefox/config quiet
    • Bug tor-browser-build#40818: Enable wasm target for rust compiler
    • Bug tor-browser-build#40828: Use http://archive.debian.org/debian-archive/ for jessie
    • Bug tor-browser-build#40837: Rebase mullvad-browser build changes onto main
    • Bug tor-browser-build#40870: Remove url without browser name from tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo
    • Bug tor-browser#41649: Create rebase and security backport gitlab issue templates
    • Bug tor-browser#41682: Add base-browser nightly mar signing key
  • Windows + macOS + Linux
    • Bug tor-browser-build#33953: Provide a way for easily updating Go dependencies of projects
    • Bug tor-browser-build#40713: Use the new tor-browser l10n branch in Firefox
    • Bug tor-browser-build#40777: Create a Go bootstrap project
    • Bug tor-browser-build#40778: Disable all translations with testbuilds in Firefox
    • Bug tor-browser-build#40788: Remove all languages but en-US for privacy-browser build target
    • Bug tor-browser-build#40809: Remove --enable-tor-browser-update and --enable-verify-mar from projects/firefox/mozconfig
    • Bug tor-browser-build#40813: Enable var/updater_enabled for basebrowser nightly
    • Bug tor-browser-build#40823: Update appname_* variables in projects/release/update_responses_config.yml
    • Bug tor-browser-build#40826: Correctly set appname_marfile for basebrowser in tools/signing/nightly/update-responses-base-config.yml
    • Bug tor-browser-build#40827: MAR generation uses (mostly) hard-coded MAR update channel
    • Bug tor-browser-build#40841: Adapt signing scripts to new signing machines
    • Bug tor-browser-build#40849: Move Go dependencies to the projects dependent on them, not as a standalone projects
    • Bug tor-browser-build#40866: Remove Using ansible to set up a nightly build machine from README
    • Bug tor-browser-build#40869: obfs4 is renamed to lyrebird
  • Windows
    • Bug tor-browser-build#29185: NSIS Installer not reproducible when icon has an alpha channel
    • Bug tor-browser-build#40757: Change projects/browser/windows-installer/torbrowser.nsi to a template file
  • Windows + macOS + Linux
    • Bug tor-browser-build#40732: Review Bundle-Data and try not to ship the default profile in base browser
  • Linux + Android
    • Bug tor-browser-build#40653: Build compiler-rt with runtimes instead of the main LLVM build
  • macOS
    • Bug tor-browser-build#40792: signing scripts missing project name prefix to make rule
    • Bug tor-browser-build#40798: dmg2mar step also takes care of copying the signed+stabled dmg to the signed directory
    • Bug tor-browser-build#40806: Update the reference to the macOS mozconfig
    • Bug tor-browser-build#40824: dmg2mar script using hardcoded project names for paths
    • Bug tor-browser-build#40847: Build filesystem influences the DMG creation
    • Bug tor-browser-build#40858: Create script to assist testers self sign Mac builds to allow running on Arm processors
    • Bug tor-browser#41453: Rename mozconfig-macos-x86_64 to mozconfig-macos
  • Android
    • Bug tor-browser-build#40738: Update Android git hashes templates
    • Bug tor-browser-build#40874: Add commit information also to GV
    • Bug tor-browser#41684: Android improvements for local dev builds

Tor Browser 12.0.7 - May 31 2023

* All Platforms
* Updated Translations
* Updated NoScript to 11.4.22
* Updated OpenSSL to 1.1.1u
* Bug 41764: TTP-02-004 OOS: No user-activation required to download files (Low) [tor-browser]
* Bug 41794: Rebase Tor Browser and Base Browser stable to 102.12esr [tor-browser]
* Windows + macOS + Linux
* Updated Firefox to 102.12esr
* Bug 41777: Internally shippped manual does not adapt to RTL languages (it always align to the left) [tor-browser]
* Android
* Updated GeckoView to 102.12esr
* Bug 41805: Backport Android-specific security fixes from Firefox 114 to ESR 102.12-based Tor Browser [tor-browser]

The full changelog since Tor Browser 12.0.5 is:

• All Platforms
  • Updated Translations
  • Updated Go to 11.9.9
  • Bug tor-browser#41728: Pin bridges.torproject.org domains to Let's Encrypt's root cert public key
  • Bug tor-browser#41756: Rebase Tor Browser Stable to 102.11.0esr
• Windows + macOS + Linux
  • Updated Firefox to 102.11esr
  • Bug tor-browser#40501: High CPU load after tor exits unexpectedly
• Windows
  • Bug tor-browser#41683: Disable the network process on Windows
• Android
  • Updated GeckoView to 102.11esr
• Build System
  • Windows + macOS + Linux
    • Bug tor-browser#41730: Bridge lines in tools/torbrowser/bridges.js out of date
  • macOS
    • Bug tor-browser-build#40844: Fix DMG reproducibility problem on 12.0.5