Version history for Tor Browser Bundle for Mac (64-bit)
<<Back to software description
Changes for v9.0.6 - v9.0.7
- All Platforms
- Bump NoScript to 11.0.19
- Bump Https-Everywhere to 2020.3.16
- Bug 33613: Disable Javascript on Safest security level
- Windows + OS X + Linux
- Bump Tor to 0.4.2.7
Changes for v9.0 - v9.0.1
- All Platforms
- Update NoScript to 11.0.4
- Bug 21004: Don't block JavaScript on onion services on medium security
- Bug 27307: NoScript marks HTTP onions as not secure
- Bug 30783: Fundraising banner for EOY 2019 campain
- Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
- Bug 27268: Preferences clean-up
- Windows + OS X + Linux
- Update Tor Launcher to 0.2.20.2
- Bug 32164: Trim each received log line from tor
- Translations update
- Bug 31803: Replaced about:debugging logo with flat version
- Bug 31764: Fix for error when navigating via 'Paste and go'
- Bug 32169: Fix TB9 Wikipedia address bar search
- Bug 32210: Hide the tor pane when using a system tor
- Bug 31658: Use builtin --panel-disabled-color for security level text
- Bug 32188: Fix localization on about:preferences#tor
- Bug 32184: Red dot is shown while downloading an update
Changes for v8.5.4 - v9.0
- All Platforms
- Update Firefox to 68.2.0esr
- Bug 31740: Remove some unnecessary RemoteSettings instances
- Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
- Bug 28196: about:preferences is not properly translated anymore
- Bug 19417: Disable asmjs on safer and safest security levels
- Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
- Bug 31935: Disable profile downgrade protection
- Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
- Bug 31602: Remove Pocket indicators in UI and disable it
- Bug 31914: Fix eslint linter error
- Bug 30429: Rebase patches for Firefox 68 ESR
- Bug 31144: Review network code changes for Firefox 68 ESR
- Bug 10760: Integrate Torbutton into Tor Browser directly
- Bug 25856: Remove XUL overlays from Torbutton
- Bug 31322: Fix about:tor assertion failure debug builds
- Bug 29430: Add support for meek_lite bridges to bridgeParser
- Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
- Bug 30683: Prevent detection of locale via some *.properties
- Bug 31298: Backport patch for #24056
- Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
- Bug 27601: Browser notifications are not working anymore
- Bug 30845: Make sure internal extensions are enabled
- Bug 28896: Enable extensions in private browsing by default
- Bug 31563: Reload search extensions if extensions.enabledScopes has changed
- Bug 31396: Fix communication with NoScript for security settings
- Bug 31142: Fix crash of tab and messing with about:newtab
- Bug 29049: Backport JS Poison Patch
- Bug 25214: Canvas data extraction on locale pdf file should be allowed
- Bug 30657: Locale is leaked via title of link tag on non-html page
- Bug 31015: Disabling SVG hides UI icons in extensions
- Bug 30681: Set security.enterprise_roots.enabled to false
- Bug 30538: Unable to comment on The Independent Newspaper
- Bug 31209: View PDF in Tor Browser is fuzzy
- Translations update
- Windows + OS X + Linux
- Update Tor to 0.4.1.6
- Update OpenSSL to 1.1.1d
- Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
- Update Tor Launcher to 0.2.20.1
- Bug 28044: Integrate Tor Launcher into tor-browser
- Bug 32154: Custom bridge field only allows one line of input
- Bug 31286: New strings for about:preferences#tor
- Bug 31303: Do not launch tor in browser toolbox
- Bug 32112: Fix bad & escaping in translations
- Bug 31491: Clean up the old meek http helper browser profiles
- Bug 29197: Remove use of overlays
- Bug 31300: Modify Tor Launcher so it is compatible with ESR68
- Bug 31487: Modify moat client code so it is compatible with ESR68
- Bug 31488: Moat: support a comma-separated list of transports
- Bug 30468: Add mk locale
- Bug 30469: Add ro locale
- Bug 30319: Remove FTE bits
- Translations update
- Bug 32092: Fix Tor Browser Support link in preferences
- Bug 32111: Fixed issue parsing user-provided bridge strings
- Bug 31749: Fix security level panel spawning events
- Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
- Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
- Bug 28044: Integrate Tor Launcher into tor-browser
- Bug 31059: Enable Letterboxing
- Bug 30468: Add mk locale
- Bug 30469: Add ro locale
- Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
- Bug 31251: Security Level button UI polish
- Bug 31344: Register SecurityLevelPreference's 'unload' callback
- Bug 31286: Provide network settings on about:preferences#tor
- Bug 31886: Fix ko bundle bustage
- Bug 31768: Update onboarding for Tor Browser 9
- Bug 27511: Add new identity button to toolbar
- Bug 31778: Support dark-theme for the Circuit Display UI
- Bug 31910: Replace meek_lite with meek in circuit display
- Bug 30504: Deal with New Identity related browser console errors
- Bug 31929: Don't escape DTD entity in ar
- Bug 31747: Some onboarding UI is always shown in English
- Bug 32041: Replace = with real hamburguer icon ≡
- Bug 30304: Browser locale can be obtained via DTD strings
- Bug 31065: Set network.proxy.allow_hijacking_localhost to true
- Bug 24653: Merge securityLevel.properties into torbutton.dtd
- Bug 31164: Set up default bridge at Karlstad University
- Bug 15563: Disable ServiceWorkers on all platforms
- Bug 31598: Disable warning on window resize if letterboxing is enabled
- Bug 31562: Fix circuit display for error pages
- Bug 31575: Firefox is phoning home during start-up
- Bug 31491: Clean up the old meek http helper browser profiles
- Bug 26345: Hide tracking protection UI
- Bug 31601: Disable recommended extensions again
- Bug 30662: Don't show Firefox Home when opening new tabs
- Bug 31457: Disable per-installation profiles
- Bug 28822: Re-implement desktop onboarding for ESR 68
- Windows
- Bug 31942: Re-enable signature check for language packs
- Bug 29013: Enable stack protection for Firefox on Windows
- Bug 30800: ftp:// on Windows can be used to leak the system time zone
- Bug 31547: Back out patch for Mozilla's bug 1574980
- Bug 31141: Fix typo in font.system.whitelist
- Bug 30319: Remove FTE bits
- OS X
- Bug 30126: Make Tor Browser compatible with macOS 10.15
- Bug 31607: App menu items stop working on macOS
- Bug 31955: On macOS avoid throwing inside nonBrowserWindowStartup()
- Bug 29818: Adapt #13379 patch for 68esr
- Bug 31464: Meek and moat are broken on macOS 10.9 with Go 1.12
- Linux
- Bug 31942: Re-enable signature check for language packs
- Bug 31646: Update abicheck to require newer libstdc++.so.6
- Bug 31968: Don't fail if /proc/cpuinfo is not readable
- Bug 24755: Stop using a heredoc in start-tor-browser
- Bug 31550: Put curly quotes inside single quotes
- Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop
- Bug 30319: Remove FTE bits
- Android
- Update Tor to 0.4.1.5
- Bug 31010: Rebase mobile patches for Fennec 68
- Bug 31010: Don't use addTrustedTab() on mobile
- Bug 30607: Support Tor Browser running on Android Q
- Bug 31192: Support x86_64 target on Android
- Bug 30380: Cancel dormant by startup
- Bug 30943: Show version number on mobile
- Bug 31720: Enable website suggestions in address bar
- Bug 31822: Security slider is not really visible on Android anymore
- Bug 24920: Only create Private tabs in permanent Private Browsing Mode
- Bug 31730: Revert aarch64-workaround against JIT-related crashes
- Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
- Build System
- All Platforms
- Bug 30585: Provide standalone clang 8 project across all platforms
- Bug 30376: Use Rust 1.34 for Tor Browser 9
- Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
- Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
- Bug 31621: Fix node bug that makes large writes to stdout fail
- Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
- Bug 31293: Make sure the lo interface inside the containers is up
- Bug 27493: Clean up mozconfig options
- Bug 31308: Sync mozconfig files used in tor-browser over to tor-browser-build for esr68
- Windows
- Bug 29307: Use Stretch for cross-compiling for Windows
- Bug 29731: Remove faketime for Windows builds
- Bug 30322: Windows toolchain update for Firefox 68 ESR
- Bug 28716: Create mingw-w64-clang toolchain
- Bug 28238: Adapt firefox and fxc2 projects for Windows builds
- Bug 28716: Optionally omit timestamp in PE header
- Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
- Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
- Bug 9898: Provide clean fix for strcmpi issue in NSPR
- Bug 29013: Enable stack protection support for Firefox on Windows
- Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
- Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
- Bug 31584: Clean up mingw-w64 project
- Bug 31596: Bump mingw-w64 version to pick up fix for #31567
- Bug 29187: Bump NSIS version to 3.04
- Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
- Bug 29319: Remove FTE support for Windows
- OS X
- Bug 30323: MacOS toolchain update for Firefox 68 ESR
- Bug 31467: Switch to clang for cctools project
- Bug 31465: Adapt tor-browser-build projects for macOS notarization
- Linux
- Bug 31448: gold and lld break linking 32bit Linux bundles
- Bug 31618: Linux32 builds of Tor Browser 9.0a6 are not matching
- Bug 31450: Still use GCC for our ASan builds
- Bug 30321: Linux toolchain update for Firefox ESR 68
- Bug 30736: Install yasm from wheezy-backports
- Bug 31447: Don't install Python just for Mach
- Bug 30448: Strip Browser/gtk2/libmozgtk.so
- Android
- Bug 30324: Android toolchain update for Fennec 68
- Bug 31173: Update android-toolchain project to match Firefox
- Bug 31389: Update Android Firefox to build with Clang
- Bug 31388: Update Rust project for Android
- Bug 30665: Get Firefox 68 ESR working with latest android toolchain
- Bug 30460: Update TOPL project to use Firefox 68 toolchain
- Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
- Bug 28753: Use Gradle with --offline when building the browser part
- Bug 31564: Make Android bundles based on ESR 68 reproducible
- Bug 31981: Remove require-api.patch
- Bug 31979: TOPL: Sort dependency list
- Bug 30665: Remove unnecessary build patches for Firefox
Changes for v8.5.2 - v8.5.3
- * All platforms
- * Pick up fix for Mozilla's bug 1560192
Changes for v8.5 - v8.5.2
- Tor Browser 8.5.2 -- June 19 2019
- * All platforms
- * Pick up fix for Mozilla's bug 1544386
- * Update NoScript to 10.6.3
- * Bug 29904: NoScript blocks MP4 on higher security levels
- * Bug 30624+29043+29647: Prevent XSS protection from freezing the browser
- Tor Browser 8.5.1 -- June 4 2019
- * All platforms
- * Update Torbutton to 2.1.10
- * Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
- * Bug 30464: Add WebGL to safer descriptions
- * Translations update
- * Update NoScript to 10.6.2
- * Bug 29969: Remove workaround for Mozilla's bug 1532530
- * Update HTTPS Everywhere to 2019.5.13
- * Bug 30541: Disable WebGL readPixel() for web content
- * Windows + OS X + Linux
- * Bug 30560: Better match actual toolbar in onboarding toolbar graphic
- * Bug 30571: Correct more information URL for security settings
- * Android
- * Bug 30635: Sync mobile default bridges list with desktop one
- * Build System
- * All platforms
- * Bug 30480: Check that signed tag contains expected tag name
Changes for v8.0.8 - v8.0.9
- All platforms
- Update Torbutton to 2.0.13
- Bug 30388: Make sure the updated intermediate certificate keeps working
- Backport fixes for bug 1549010 and bug 1549061
- Bug 30388: Make sure the updated intermediate certificate keeps working
- Update NoScript to 10.6.1
- Bug 29872: XSS popup with DuckDuckGo search on about:to
Changes for v8.0.7 - v8.0.8
- All platforms
- Update Firefox to 60.6.1esr
- Update NoScript to 10.2.4
- Bug 29733: Work around Mozilla's bug 1532530
Changes for v8.0.6 - v8.0.7
- All platforms
- Update Firefox to 60.6.0esr
- Update Tor to 0.3.5.8
- Bug 29660: XMPP can not connect to SOCKS5 anymore
- Update Torbutton to 2.0.11
- Bug 29021: Tell NoScript it is running within Tor Browser
- Windows
- Bug 29081: Harden libwinpthread
Changes for v8.0.5 - v8.0.6
- All platforms
- Update Firefox to 60.5.1esr
- Update HTTPS Everywhere to 2019.1.31
- Bug 29378: Remove 83.212.101.3 from default bridges
- Build System
- All Platforms
- Bug 29235: Build our own version of python3.6 for HTTPS Everywhere
Changes for v8.0.1 - v8.0.2
- All platforms
- Update Firefox to 60.2.1esr
- Backport fix for Mozilla bug 1493900 and 1493903
- OS X
- Backport fix for Mozilla bug 1489785 for macOS 10.14 compatibility
Changes for v8.0 - v8.0.1
- All platforms
- Update Tor to 0.3.4.8
- Update Torbutton to 2.0.7
- Bug 27097: Tor News signup banner
- Bug 27663: Add New Identity menuitem again
- Bug 26624: Only block OBJECT on highest slider level
- Bug 26555: Don't show IP address for meek or snowflake
- Bug 27478: Torbutton icons for dark theme
- Bug 27506+14520: Move status version to upper left corner for RTL locales
- Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
- Bug 27558: Update the link to "Your Guard note may not change" text
- Translations update
- Update Tor Launcher to 0.2.16.6
- Bug 27469: Adapt Moat URLs
- Translations update
- Clean-up
- Update NoScript to 10.1.9.6
- Bug 27763: Restrict Torbutton signing exemption to mobile
- Bug 26146: Spoof HTTP User-Agent header for desktop platforms
- Bug 27543: QR code is broken on web.whatsapp.com
- Bug 27264: Bookmark items are not visible on the boomark toolbar
- Bug 27535: Enable TLS 1.3 draft version
- Backport of Mozilla bug 1490585, 1475775, and 1489744
- OS X
- Bug 27482: Fix crash during start-up on macOS 10.9.x systems
Changes for v7.5.1 - v7.5.2
- Update Firefox to 52.7.2esr
Changes for v7.0.11 - v7.5
- All Platforms
- Update Firefox to 52.6.0esr
- Update Tor to 0.3.2.9
- Update OpenSSL to 1.0.2n
- Update Torbutton to 1.9.8.5
- Bug 21847: Update copy for security slider
- Bug 21245: Add da translation to Torbutton and keep track of it
- Bug 24702: Remove Mozilla text from banner
- Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
- Translations update
- Update Tor Launcher to 0.2.14.3
- Bug 23262: Implement integrated progress bar
- Bug 23261: implement configuration portion of new Tor Launcher UI
- Bug 24623: Revise "country that censors Tor" text
- Bug 24624: tbb-logo.svg may cause network access
- Bug 23240: Retrieve current bootstrap progress before showing progress bar
- Bug 24428: Bootstrap error message sometimes lost
- Bug 22232: Add README on use of bootstrap status messages
- Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
- Translations update
- Update HTTPS Everywhere to 2018.1.11
- Update NoScript to 5.1.8.3
- Bug 23104: CSS line-height reveals the platform Tor Browser is running on
- Bug 24398: Plugin-container process exhausts memory
- Bug 22501: Requests via javascript: violate FPI
- Bug 24756: Add noisebridge01 obfs4 bridge configuration
- Windows
- Bug 16010: Enable content sandboxing on Windows
- Bug 23230: Fix build error on Windows 64
- OS X
- Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
- Bug 23025: Add some hardening flags to macOS build
- Linux
- Bug 23970: Make "Print to File" work with sandboxing enabled
- Bug 23016: "Print to File" is broken on some non-english Linux systems
- Bug 10089: Set middlemouse.contentLoadURL to false by default
- Bug 18101: Suppress upload file dialog proxy bypass (linux part)
- Android
- Bug 22084: Spoof network information API
- Build System
- All Platforms
- Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
- Windows
- Bug 22563: Update mingw-w64 to fix W^X violations
- Bug 20929: Bump GCC version to 5.4.0
- Linux
- Bug 20929: Bump GCC version to 5.4.0
- Bug 23892: Include Firefox and Tor debug files in final build directory
- Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds
Changes for v7.0.10 - v7.0.11
- All Platforms
- Update Firefox to 52.5.2esr
- Update Tor to 0.3.1.9
- Update HTTPS-Everywhere to 2017.12.6
- Update NoScript to 5.1.8.1
Changes for v7.0.9 - v7.0.10
- * All Platforms
- * Update Firefox to 52.5.0esr
- * Update Tor to 0.3.1.8
- * Update Torbutton to 1.9.7.10
- * Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
- * Translations update
- * Update HTTPS-Everywhere to 2017.10.30
- * Bug 24178: Use make.sh for building HTTPS-Everywhere
- * Update NoScript to 5.1.5
- * Bug 23968: NoScript icon jumps to the right after update
- * Windows
- * Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
- * Bug 23396: Update the msvcr100.dll we ship
- * Bug 24052: Block file:// redirects early
Changes for v7.0.4 - v7.0.5
- All Platforms
- Update Torbutton to 1.9.7.6
- Bug 22989: Fix dimensions of new windows on macOS
- Translations update
- Update HTTPS-Everywhere to 2017.8.31
- Update NoScript to 5.0.9
- Bug 23166: Add new obfs4 bridge to the built-in ones
- Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
- Bug 21270: NoScript settings break WebExtensions add-ons
Changes for v7.0.2 - v7.0.4
- All Platforms
- Update Firefox to 52.3.0esr
- Update Tor to 0.3.0.10
- Update Torbutton to 1.9.7.5
- Bug 21999: Fix display of language prompt in non-en-US locales
- Bug 18193: Don't let about:tor have chrome privileges
- Bug 22535: Search on about:tor discards search query
- Bug 21948: Going back to about:tor page gives "Address isn't valid" error
- Code clean-up
- Translations update
- Update Tor Launcher to 0.2.12.3
- Bug 22592: Default bridge settings are not removed
- Translations update
- Update HTTPS-Everywhere to 5.2.21
- Update NoScript to 5.0.8.1
- Bug 22362: Remove workaround for XSS related browser freezing
- Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
- Bug 21321: Exempt .onions from HTTP related security warnings
- Bug 22073: Disable GetAddons option on addons page
- Bug 22884: Fix broken about:tor page on higher security levels
- Windows
- Bug 22829: Remove default obfs4 bridge riemann.
- Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
- OS X
- Bug 22829: Remove default obfs4 bridge riemann.
Changes for v7.0.1 - v7.0.2
- This release features an important security update to Tor.
Changes for v7.0 - v7.0.1
- All Platforms
- Update Firefox to 52.2.0esr
- Update Tor to 0.3.0.8
- Update Torbutton to 1.9.7.4
- Bug 22542: Security Settings window too small on macOS 10.12
- Update HTTPS-Everywhere to 5.2.18
- Bug 22362: NoScript's XSS filter freezes the browser
- OS X
- Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0
Changes for v6.5.2 - v7.0
- All Platforms
- Update Firefox to 52.1.2esr
- Update Tor to 0.3.0.7
- Update Torbutton to 1.9.7.3
- Bug 22104: Adjust our content policy whitelist for ff52-esr
- Bug 22457: Allow resources loaded by view-source://
- Bug 21627: Ignore HTTP 304 responses when checking redirects
- Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
- Bug 21865: Update our JIT preferences in the security slider
- Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
- Bug 21745: Fix handling of catch-all circuit
- Bug 21547: Fix circuit display under e10s
- Bug 21268: e10s compatibility for New Identity
- Bug 21267: Remove window resize implementation for now
- Bug 21201: Make Torbutton multiprocess compatible
- Translations update
- Update Tor Launcher to 0.2.12.2
- Bug 22283: Linux 7.0a4 broken after update due to unix: lines in torrc
- Bug 20761: Don't ignore additional SocksPorts
- Bug 21920: Don't show locale selection dialog
- Bug 21546: Mark Tor Launcher as multiprocess compatible
- Bug 21264: Add a README file
- Translations update
- Update HTTPS-Everywhere to 5.2.17
- Update NoScript to 5.0.5
- Update Go to 1.8.3 (bug 22398)
- Bug 21962: Fix crash on about:addons page
- Bug 21766: Fix crash when the external application helper dialog is invoked
- Bug 21886: Download is stalled in non-e10s mode
- Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52
- Bug 21569: Add first-party domain to Permissions key
- Bug 22165: Don't allow collection of local IP addresses
- Bug 13017: Work around audio fingerprinting by disabling the Web Audio API
- Bug 10286: Disable Touch API and add fingerprinting resistance as fallback
- Bug 13612: Disable Social API
- Bug 10283: Disable SpeechSynthesis API
- Bug 22333: Disable WebGL2 API for now
- Bug 21861: Disable additional mDNS code to avoid proxy bypasses
- Bug 21684: Don't expose navigator.AddonManager to content
- Bug 21431: Clean-up system extensions shipped in Firefox 52
- Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
- Bug 16285: Don't ship ClearKey EME system and update EME preferences
- Bug 21675: Spoof window.navigator.hardwareConcurrency
- Bug 21792: Suppress MediaError.message
- Bug 16337: Round times exposed by Animation API to nearest 100ms
- Bug 21972: about:support is partially broken
- Bug 21726: Keep Graphite support disabled
- Bug 21323: Enable Mixed Content Blocking
- Bug 21685: Disable remote new tab pages
- Bug 21790: Disable captive portal detection
- Bug 21686: Disable Microsoft Family Safety support
- Bug 22073: Make sure Mozilla's experiments are disabled
- Bug 21683: Disable newly added Safebrowsing capabilities
- Bug 22071: Disable Kinto-based blocklist update mechanism
- Bug 22415: Fix format error in our pipeline patch
- Bug 22072: Hide TLS error reporting checkbox
- Bug 20761: Don't ignore additional SocksPorts
- Bug 21862: Rip out potentially unsafe Rust code
- Bug 16485: Improve about:cache page
- Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
- Bug 21340: Identify and backport new patches from Firefox
- Bug 22153: Fix broken feeds on higher security levels
- Bug 22025: Fix broken certificate error pages on higher security levels
- Bug 21887: Fix broken error pages on higher security levels
- Bug 22458: Fix broken `about:cache` page on higher security levels
- Bug 21876: Enable e10s by default on all supported platforms
- Bug 21876: Always use esr policies for e10s
- Bug 20905: Fix resizing issues after moving to a direct Firefox patch
- Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
- Bug 21885: SVG is not disabled in Tor Browser based on ESR52
- Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
- Bug 18531: Uncaught exception when opening ip-check.info
- Bug 18574: Uncaught exception when clicking items in Library
- Bug 22327: Isolate Page Info media previews to first party domain
- Bug 22452: Isolate tab list menuitem favicons to first party domain
- Bug 15555: View-source requests are not isolated by first party domain
- Bug 3246: Double-key cookies
- Bug 8842: Fix XML parsing error
- Bug 5293: Neuter fingerprinting with Battery API
- Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
- Bug 19645: TBB zooms text when resizing browser window
- Bug 19192: Untrust Blue Coat CA
- Bug 19955: Avoid confusing warning that favicon load request got cancelled
- Bug 20005: Backport fixes for memory leaks investigation
- Bug 20755: ltn.com.tw is broken in Tor Browser
- Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
- Bug 20680: Rebase Tor Browser patches to 52 ESR
- Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
- Bug 22468: Add default obfs4 bridges frosty and dragon
- Windows
- Bug 22419: Prevent access to file://
- Bug 12426: Make use of HeapEnableTerminationOnCorruption
- Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
- Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
- OS X
- Bug 21940: Don't allow privilege escalation during update
- Bug 22044: Fix broken default search engine on macOS
- Bug 21879: Use our default bookmarks on OSX
- Bug 21779: Non-admin users can't access Tor Browser on macOS
- Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID
- Bug 21724: Make Firefox and Tor Browser distinct macOS apps
- Bug 21931: Backport OSX SetupMacCommandLine updater fixes
- Bug 15910: Don't download GMPs via the local fallback
- Linux
- Bug 16285: Remove ClearKey related library stripping
- Bug 22041: Fix update error during update to 7.0a3
- Bug 22238: Fix use of hardened wrapper for Firefox build
- Bug 21907: Fix runtime error on CentOS 6
- Bug 15910: Don't download GMPs via the local fallback
- Android
- Bug 19078: Disable RtspMediaResource stuff in Orfox
- Build system
- Windows
- Bug 21837: Fix reproducibility of accessibility code for Windows
- Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
- Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
- Bug 18831: Use own Yasm for Firefox cross-compilation
- OS X
- Bug 21328: Updating to clang 3.8.0
- Bug 21754: Remove old GCC toolchain and macOS SDK
- Bug 19783: Remove unused macOS helper scripts
- Bug 10369: Don't use old GCC toolchain anymore for utils
- Bug 21753: Replace our old GCC toolchain in PT descriptor
- Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+
- Bug 22328: Remove clang PIE wrappers
Changes for v6.5 - v6.5.1
- All Platforms
- Update Firefox to 45.8.0esr
- Tor to 0.2.9.10
- OpenSSL to 1.0.2k
- Update Torbutton to 1.9.6.14
- Bug 21396: Allow leaking of resource/chrome URIs (off by default)
- Bug 21574: Add link for zh manual and create manual links dynamically
- Bug 21330: Non-usable scrollbar appears in tor browser security settings
- Translation updates
- Update HTTPS-Everywhere to 5.2.11
- Bug 21514: Restore W^X JIT implementation removed from ESR45
- Bug 21536: Remove scramblesuit bridge
- Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
Changes for v6.0.8 - v6.5
- All Platforms
- Update Firefox to 45.7.0esr
- Tor to 0.2.9.9
- OpenSSL to 1.0.2j
- Update Torbutton to 1.9.6.12
- Bug 16622: Timezone spoofing moved to tor-browser.git
- Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
- Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
- Bug 20701: Allow the directory listing stylesheet in the content policy
- Bug 19837: Whitelist internal URLs that Firefox requires for media
- Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
- Bug 19273: Improve external app launch handling and associated warnings
- Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
- Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
- Bug 17767: Make "JavaScript disabled" more visible in Security Slider
- Bug 20556: Use pt-BR strings from now on
- Bug 20614: Add links to Tor Browser User Manual
- Bug 20414: Fix non-rendering arrow on OS X
- Bug 20728: Fix bad preferences.xul dimensions
- Bug 19898: Use DuckDuckGo on about:tor
- Bug 21091: Hide the update check menu entry when running under the sandbox
- Bug 19459: Move resizing code to tor-browser.git
- Bug 20264: Change security slider to 3 options
- Bug 20347: Enhance security slider's custom mode
- Bug 20123: Disable remote jar on all security levels
- Bug 20244: Move privacy checkboxes to about:preferences#privacy
- Bug 17546: Add tooltips to explain our privacy checkboxes
- Bug 17904: Allow security settings dialog to resize
- Bug 18093: Remove 'Restore Defaults' button
- Bug 20373: Prevent redundant dialogs opening
- Bug 20318: Remove helpdesk link from about:tor
- Bug 21243: Add links for pt, es, and fr Tor Browser manuals
- Bug 20753: Remove obsolete StartPage locale strings
- Bug 21131: Remove 2016 donation banner
- Bug 18980: Remove obsolete toolbar button code
- Bug 18238: Remove unused Torbutton code and strings
- Bug 20388+20399+20394: Code clean-up
- Translation updates
- Update Tor Launcher to 0.2.10.3
- Bug 19568: Set CurProcD for Thunderbird/Instantbird
- Bug 19432: Remove special handling for Instantbird/Thunderbird
- Translation updates
- Update HTTPS-Everywhere to 5.2.9
- Update NoScript to 2.9.5.3
- Bug 16622: Spoof timezone with Firefox patch
- Bug 17334: Spoof referrer when leaving a .onion domain
- Bug 19273: Write C++ patch for external app launch handling
- Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
- Bug 12523: Mark JIT pages as non-writable
- Bug 20123: Always block remote jar files
- Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
- Bug 19164: Remove support for SHA-1 HPKP pins
- Bug 19186: KeyboardEvents are only rounding to 100ms
- Bug 16998: Isolate preconnect requests to URL bar domain
- Bug 19478: Prevent millisecond resolution leaks in File API
- Bug 20471: Allow javascript: links from HTTPS first party pages
- Bug 20244: Move privacy checkboxes to about:preferences#privacy
- Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
- Bug 20709: Fix wrong update URL in alpha bundles
- Bug 19481: Point the update URL to aus1.torproject.org
- Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
- Bug 20442: Backport fix for local path disclosure after drag and drop
- Bug 20160: Backport fix for broken MP3-playback
- Bug 20043: Isolate SharedWorker script requests to first party
- Bug 18923: Add script to run all Tor Browser regression tests
- Bug 20651: DuckDuckGo does not work with JavaScript disabled
- Bug 19336+19835: Enhance about:tbupdate page
- Bug 20399+15852: Code clean-up
- Windows
- Bug 20981: On Windows, check TZ for timezone first
- Bug 18175: Maximizing window and restarting leads to non-rounded window size
- Bug 13437: Rounded inner window accidentally grows to non-rounded size
- OS X
- Bug 20590: Badly resized window due to security slider notification bar on OS X
- Bug 20439: Make the build PIE on OSX
- Linux
- Bug 20691: Updater breaks if unix domain sockets are used
- Bug 15953: Weird resizing dance on Tor Browser startup
- Build system
- All platforms
- Bug 20927: Upgrade Go to 1.7.4
- Bug 20583: Make the downloads.json file reproducible
- Bug 20133: Don't apply OpenSSL patch anymore
- Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
- Bug 18291: Remove some uses of libfaketime
- Bug 18845: Make zip and tar helpers generate reproducible archives
- OS X
- Bug 20258: Make OS X Tor archive reproducible again
- Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
- Bug 19856: Make OS X builds reproducible (getting libfaketime back)
- Bug 19410: Fix incremental updates by taking signatures into account
- Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one
Changes for v6.0.7 - v6.0.8
- All Platforms
- Update Firefox to 45.6.0esr
- Update Tor to 0.2.8.11
- Update Torbutton to 1.9.5.13
- Bug 20947: Donation banner improvements
- Update HTTPS-Everywhere to 5.2.8
- Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
- Bug 20837: Activate iat-mode for certain obfs4 bridges
- Bug 20838: Uncomment NX01 default obfs4 bridge
- Bug 20840: Rotate ports a third time for default obfs4 bridges
Changes for v6.0.6 - v6.0.7
- All Platforms
- Update Firefox to 45.5.1esr
- Update NoScript to 2.9.5.2
Changes for v6.0.5 - v6.0.6
- All Platforms
- Update Firefox to 45.5.0esr
- Update Tor to 0.2.8.9
- Update OpenSSL to 1.0.1u
- Update Torbutton to 1.9.5.12
- Bug 20414: Add donation banner on about:tor for 2016 campaign
- Translation updates
- Update Tor Launcher to 0.2.9.4
- Bug 20429: Do not open progress window if tor doesn't get started
- Bug 19646: Wrong location for meek browser profile on OS X
- Update HTTPS-Everywhere to 5.2.7
- Update meek to 0.25
- Bug 19646: Wrong location for meek browser profile on OS X
- Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
- Bug 19838: Add dgoulet's bridge and add another one commented out
- Bug 20296: Rotate ports again for default obfs4 bridges
- Bug 19735: Switch default search engine to DuckDuckGo
- Bug 20118: Don't unpack HTTPS Everywhere anymore
- Windows
- Bug 20342: Add tor-gencert.exe to expert bundle
- OS X
- Bug 20204: Windows don't drag on macOS Sierra anymore
- Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
- Build system
- All platforms
- Bug 20023: Upgrade Go to 1.7.3
Changes for v6.0 - v6.0.1
- All Platforms
- Update Firefox to 45.2.0esr
- Bug 18884: Don't build the loop extension
- Bug 19187: Backport fix for crash related to popup menus
- Bug 19212: Fix crash related to network panel in developer tools
Changes for v5.5.5 - v6.0
- All Platforms
- Update Firefox to 45.1.1esr
- Update OpenSSL to 1.0.1t
- Update Torbutton to 1.9.5.4
- Bug 18466: Make Torbutton compatible with Firefox ESR 45
- Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
- Bug 18905: Hide unusable items from help menu
- Bug 16017: Allow users to more easily set a non-tor SSH proxy
- Bug 17599: Provide shortcuts for New Identity and New Circuit
- Translation updates
- Code clean-up
- Update Tor Launcher to 0.2.9.3
- Bug 13252: Do not store data in the application bundle
- Bug 18947: Tor Browser is not starting on OS X if put into /Applications
- Bug 11773: Setup wizard UI flow improvements
- Translation updates
- Update HTTPS-Everywhere to 5.1.9
- Update meek to 0.22 (tag 0.22-18371-3)
- Bug 18371: Symlinks are incompatible with Gatekeeper signing
- Bug 18904: Mac OS: meek-http-helper profile not updated
- Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
- Bug 18900: Fix broken updater on Linux
- Bug 19121: The update.xml hash should get checked during update
- Bug 18042: Disable SHA1 certificate support
- Bug 18821: Disable libmdns support for desktop and mobile
- Bug 18848: Disable additional welcome URL shown on first start
- Bug 14970: Exempt our extensions from signing requirement
- Bug 16328: Disable MediaDevices.enumerateDevices
- Bug 16673: Disable HTTP Alternative-Services
- Bug 17167: Disable Mozilla's tracking protection
- Bug 18603: Disable performance-based WebGL fingerprinting option
- Bug 18738: Disable Selfsupport and Unified Telemetry
- Bug 18799: Disable Network Tickler
- Bug 18800: Remove DNS lookup in lockfile code
- Bug 18801: Disable dom.push preferences
- Bug 18802: Remove the JS-based Flash VM (Shumway)
- Bug 18863: Disable MozTCPSocket explicitly
- Bug 15640: Place Canvas MediaStream behind site permission
- Bug 16326: Verify cache isolation for Request and Fetch APIs
- Bug 18741: Fix OCSP and favicon isolation for ESR 45
- Bug 16998: Disable for now
- Bug 18898: Exempt the meek extension from the signing requirement as well
- Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
- Bug 18890: Test importScripts() for cache and network isolation
- Bug 18886: Hide pocket menu items when Pocket is disabled
- Bug 18703: Fix circuit isolation issues on Page Info dialog
- Bug 19115: Tor Browser should not fall back to Bing as its search engine
- Bug 18915+19065: Use our search plugins in localized builds
- Bug 19176: Zip our language packs deterministically
- Bug 18811: Fix first-party isolation for blobs URLs in Workers
- Bug 18950: Disable or audit Reader View
- Bug 18886: Remove Pocket
- Bug 18619: Tor Browser reports "InvalidStateError" in browser console
- Bug 18945: Disable monitoring the connected state of Tor Browser users
- Bug 18855: Don't show error after add-on directory clean-up
- Bug 18885: Disable the option of logging TLS/SSL key material
- Bug 18770: SVGs should not show up on Page Info dialog when disabled
- Bug 18958: Spoof screen.orientation values
- Bug 19047: Disable Heartbeat prompts
- Bug 18914: Use English-only label in
tags - Bug 18996: Investigate server logging in esr45-based Tor Browser
- Bug 17790: Add unit tests for keyboard fingerprinting defenses
- Bug 18995: Regression test to ensure CacheStorage is disabled
- Bug 18912: Add automated tests for updater cert pinning
- Bug 16728: Add test cases for favicon isolation
- Bug 18976: Remove some FTE bridges
- Windows
- Bug 13419: Support ICU in Windows builds
- Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
- Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
- OS X
- Bug 6540: Support OS X Gatekeeper
- Bug 13252: Tor Browser should not store data in the application bundle
- Bug 18951: HTTPS-E is missing after update
- Bug 18904: meek-http-helper profile not updated
- Bug 18928: Upgrade is not smooth (requires another restart)
- Build System
- All Platforms
- Bug 18127: Add LXC support for building with Debian guest VMs
- Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
- Bug 18919: Remove unused keys and unused dependencies
- Windows
- Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
- Bug 18290: Bump mingw-w64 commit we use
- OS X
- Bug 18331: Update toolchain for Firefox 45 ESR
- Bug 18690: Switch to Debian Wheezy guest VMs
- Linux
- Bug 18699: Stripping fails due to obsolete Browser/components directory
- Bug 18698: Include libgconf2-dev for our Linux builds
- Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Changes for v5.5.4 - v5.5.5
- All Platforms
- Update Firefox to 38.8.0esr
- Update Tor Launcher to 0.2.7.9
- Bug 10534: Don't advertise the help desk directly anymore
- Translation updates
- Update HTTPS-Everywhere to 5.1.6
- Update NoScript to 2.9.0.11
- Bug 18726: Add new default obfs4 bridge (GreenBelt)
Changes for v5.5.2 - v5.5.3
- All Platforms
- Update Firefox to 38.7.0esr
- Update OpenSSL to 1.0.1s
- Update NoScript to 2.9.0.4
- Update HTTPS Everywhere to 5.1.4
- Update Torbutton to 1.9.4.4
- Bug 16990: Don't mishandle multiline commands
- Bug 18144: about:tor update arrow position is wrong
- Bug 16725: Allow resizing with non-default homepage
- Translation updates
- Bug 18030: Isolate favicon requests on Page Info dialog
- Bug 18297: Use separate Noto JP,KR,SC,TC fonts
- Bug 18170: Make sure the homepage is shown after an update as well
- Windows
- Bug 18292: Disable staged updates on Windows
Changes for v5.5.1 - v5.5.2
- All Platforms
- Update Firefox to 38.6.1esr
- Update NoScript to 2.9.0.3
Changes for v5.5 - v5.5.1
- All Platforms
- Bug 18168: Don't clear an iframe's window.name (fix of #16620)
- Bug 18137: Add two new obfs4 default bridges
- Windows
- Bug 18169: Whitelist zh-CN UI font
- OS X
- Bug 18172: Add Emoji support
- Linux
Changes for v5.0.7 - v5.5
- All Platforms
- Update Firefox to 38.6.0esr
- Update libevent to 2.0.22-stable
- Update NoScript to 2.9.0.2
- Update Torbutton to 1.9.4.3
- Bug 16990: Show circuit display for connections using multi-party channels
- Bug 18019: Avoid empty prompt shown after non-en-US update
- Bug 18004: Remove Tor fundraising donation banner
- Bug 16940: After update, load local change notes
- Bug 17108: Polish about:tor appearance
- Bug 17568: Clean up tor-control-port.js
- Bug 16620: Move window.name handling into a Firefox patch
- Bug 17351: Code cleanup
- Translation updates
- Update Tor Launcher to 0.2.7.8
- Bug 18113: Randomly permutate available default bridges of chosen type
- Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
- Bug 10140: Add new Tor Browser locale (Japanese)
- Bug 17428: Remove Flashproxy
- Bug 13512: Load a static tab with change notes after an update
- Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
- Bug 15564: Isolate SharedWorkers by first-party domain
- Bug 16940: After update, load local change notes
- Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
- Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
- Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
- Bug 17369: Disable RC4 fallback
- Bug 17442: Remove custom updater certificate pinning
- Bug 16620: Move window.name handling into a Firefox patch
- Bug 17220: Support math symbols in font whitelist
- Bug 10599+17305: Include updater and build patches needed for hardened builds
- Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
- Bug 18072: Change recommended pluggable transport type to obfs4
- Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
- Bug 16322: Use onion address for DuckDuckGo search engine
- Bug 17917: Changelog after update is empty if JS is disabled
- Windows
- Bug 17250: Add localized font names to font whitelist
- Bug 16707: Allow more system fonts to get used on Windows
- Bug 13819: Ship expert bundles with console enabled
- Bug 17250: Fix broken Japanese fonts
- Bug 17870: Add intermediate certificate for authenticode signing
- OS X
- Bug 17122: Rename Japanese OS X bundle
- Bug 16707: Allow more system fonts to get used on OS X
- Bug 17661: Whitelist font .Helvetica Neue DeskInterface
Changes for v5.0.5 - v5.0.6
- All Platforms
- Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag
- The changes made in 5.0.5 are the following:
- All Platforms
- Update Firefox to 38.5.0esr
- Update Tor to 0.2.7.6
- Update OpenSSL to 1.0.1q
- Update NoScript to 2.7
- Update HTTPS Everywhere to 5.1.1
- Update Torbutton to 1.9.3.7
- Bug 16990: Avoid matching '250 ' to the end of node name
- Bug 17565: Tor fundraising campaign donation banner
- Bug 17770: Fix alignments on donation banner
- Bug 17792: Include donation banner in some non en-US Tor Browsers
- Translation updates
- Bug 17207: Hide MIME types and plugins from websites
- Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
- Bug 16863: Avoid confusing error when loop.enabled is false
- Bug 17502: Add a preference for hiding "Open with" on download dialog
- Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
- Bug 17747: Add ndnop3 as new default obfs4 bridge
Changes for v5.0.4 - v5.0.5
- All Platforms
- Update Firefox to 38.5.0esr
- Update Tor to 0.2.7.6
- Update OpenSSL to 1.0.1q
- Update NoScript to 2.7
- Update HTTPS Everywhere to 5.1.1
- Update Torbutton to 1.9.3.7
- Bug 16990: Avoid matching '250 ' to the end of node name
- Bug 17565: Tor fundraising campaign donation banner
- Bug 17770: Fix alignments on donation banner
- Bug 17792: Include donation banner in some non en-US Tor Browsers
- Translation updates
- Bug 17207: Hide MIME types and plugins from websites
- Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
- Bug 16863: Avoid confusing error when loop.enabled is false
- Bug 17502: Add a preference for hiding "Open with" on download dialog
- Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
- Bug 16441: Suppress "Reset Tor Browser" prompt
- Bug 17747: Add ndnop3 as new default obfs4 bridge
Changes for v5.0.3 - v5.0.4
- All Platforms
- Update Firefox to 38.4.0esr
- Update NoScript to 2.6.9.39
- Update Torbutton to 1.9.3.5
- Bug 9623: Spoof Referer when leaving a .onion domain
- Bug 16735: about:tor should accommodate different fonts/font sizes
- Bug 16937: Don't translate the homepage/spellchecker dictionary string
- Bug 17164: Don't show text-select cursor on circuit display
- Bug 17351: Remove unused code
- Translation updates
- Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
- Bug 17318: Remove dead ScrambleSuit bridge
- Bug 17473: Update meek-amazon fingerprint
- Bug 16983: Isolate favicon requests caused by the tab list dropdown
- Bug 17102: Don't crash while opening a second Tor Browser
- Windows
- Bug 16906: Don't depend on Windows crypto DLLs
- Linux
- Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)
Changes for v5.0.2 - v5.0.3
- All Platforms
- Update Firefox to 38.3.0esr
- Update Torbutton to 1.9.3.4
- Bug 16887: Update intl.accept_languages value
- Bug 15493: Update circuit display on new circuit info
- Bug 16797: brandShorterName is missing from brand.properties
- Bug 14429: Make sure the automatic resizing is disabled
- Translation updates
- Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
- Bug 16837: Disable Firefox Hotfix updates
- Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
- Bug 16781: Allow saving pdf files in built-in pdf viewer
- Bug 16842: Restore Media tab on Page information dialog
- Bug 16727: Disable about:healthreport page
- Bug 16783: Normalize NoScript default whitelist
- Bug 16775: Fix preferences dialog with security slider set to "High"
- Bug 13579: Update download progress bar automatically
- Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
- Bug 17046: Event.timeStamp should not reveal startup time
- Bug 16872: Fix warnings when opening about:downloads
- Bug 17097: Fix intermittent crashes when using the print dialog
- Windows
- Bug 16906: Fix Mingw-w64 compilation breakage
- OS X
- Bug 16910: Update copyright year in OS X bundles
Changes for v5.0.1 - v5.0.2
- All Platforms
- Update Firefox to 38.2.1esr
- Update NoScript to 2.6.9.36
- Linux
- Bug 16860: Avoid duplicate icons on Unity and Gnome
Changes for v5.0 - v5.0.1
- This release fixes a crash bug that caused Tor Browser to crash on certain sites (in particular, Google Maps and Tumblr). The crash bug was a NULL pointer dereference while handling blob URIs. The crash was not exploitable.
Changes for v4.5.3 - v5.0
- All Platforms
- Update Firefox to 38.2.0esr
- Update OpenSSL to 1.0.1p
- Update HTTPS-Everywhere to 5.0.7
- Update NoScript to 2.6.9.34
- Update meek to 0.20
- Update Tor to 0.2.6.10 with patches:
- Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
- Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
- Bug 15482: Don't allow circuits to change while a site is in use
- Update Torbutton to 1.9.3.2
- Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
- Bug 16730: Reset NoScript whitelist on upgrade
- Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
- Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
- Bug 16268: Show Tor Browser logo on About page
- Bug 16639: Check for Updates menu item can cause update download failure
- Bug 15781: Remove the sessionstore filter
- Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
- Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
- Bug 16200: Update Cache API usage and prefs for FF38
- Bug 16357: Use Mozilla API to wipe permissions db
- Bug 14429: Make sure the automatic resizing is disabled
- Translation updates
- Update Tor Launcher to 0.2.7.7
- Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
- Bug 15145: Visually distinguish "proxy" and "bridge" screens.
- Translation updates
- Bug 16730: Prevent NoScript from updating the default whitelist
- Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
- Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
- Bug 16884: Prefer IPv6 when supported by the current Tor exit
- Bug 16488: Remove "Sign in to Sync" from the browser menu
- Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
- Bug 15703: Isolate mediasource URIs and media streams to first party
- Bug 16429+16416: Isolate blob URIs to first party
- Bug 16632: Turn on the background updater and restart prompting
- Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
- Bug 16523: Fix in-browser JavaScript debugger
- Bug 16236: Windows updater: avoid writing to the registry
- Bug 16625: Fully disable network connection prediction
- Bug 16495: Fix SVG crash when security level is set to "High"
- Bug 13247: Fix meek profile error after bowser restarts
- Bug 16005: Relax WebGL minimal mode
- Bug 16300: Isolate Broadcast Channels to first party
- Bug 16439: Remove Roku screencasting code
- Bug 16285: Disabling EME bits
- Bug 16206: Enforce certificate pinning
- Bug 15910: Disable Gecko Media Plugins for now
- Bug 13670: Isolate OCSP requests by first party domain
- Bug 16448: Isolate favicon requests by first party
- Bug 7561: Disable FTP request caching
- Bug 6503: Fix single-word URL bar searching
- Bug 15526: ES6 page crashes Tor Browser
- Bug 16254: Disable GeoIP-based search results.
- Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
- Bug 13024: Disable DOM Resource Timing API
- Bug 16340: Disable User Timing API
- Bug 14952: Disable HTTP/2
- Bug 1517: Reduce precision of time for Javascript
- Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
- Bug 16311: Fix navigation timing in ESR 38
- Windows
- Bug 16014: Staged update fails if meek is enabled
- Bug 16269: repeated add-on compatibility check after update (meek enabled)
- Mac OS
- Use OSX 10.7 SDK
- Bug 16253: Tor Browser menu on OS X is broken with ESR 38
- Bug 15773: Enable ICU on OS X
- Build System
- Bug 16351: Upgrade our toolchain to use GCC 5.1
- Bug 15772 and child tickets: Update build system for Firefox 38
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
- Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Changes for v5.0a3 - v5.0a4
- All Platforms
- Update Tor to 0.2.7.2-alpha with patches
- Bug 15482: Don't allow circuits to change while a site is in use
- Update OpenSSL to 1.0.1p
- Update HTTPS-Everywhere to 5.0.7
- Update NoScript to 2.6.9.31
- Update Torbutton to 1.9.3.1
- Bug 16268: Show Tor Browser logo on About page
- Bug 16639: Check for Updates menu item can cause update download failure
- Bug 15781: Remove the sessionstore filter
- Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
- Translation updates
- Bug 16884: Prefer IPv6 when supported by the current Tor exit
- Bug 16488: Remove "Sign in to Sync" from the browser menu
- Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
- Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
- Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
- Bug 15703: Isolate mediasource URIs and media streams to first party
- Bug 16429+16416: Isolate blob URIs to first party
- Bug 16632: Turn on the background updater and restart prompting
- Bug 16528: Prevent IndexedDB Modernizr site breakage on Twitter and elsewhere
- Bug 16523: Fix in-browser JavaScript debugger
- Bug 16236: Windows updater: avoid writing to the registry
- Bug 16005: Restrict WebGL minimal mode a bit (fixup)
- Bug 16625: Fully disable network connection prediction
- Bug 16495: Fix SVG crash when security level is set to "High"
- Build System
- Bug 15864: Rename sha256sums.txt to sha256sums-unsigned-build.txt
Changes for v4.5.2 - v4.5.3
- All Platforms
- Update Firefox to 31.8.0esr
- Update OpenSSL to 1.0.1o
- Update NoScript to 2.6.9.27
- Update Torbutton to 1.9.2.8
- Bug 16403: Set search parameters for Disconnect
- Bug 14429: Make sure the automatic resizing is disabled
- Translation updates
- Bug 16397: Fix crash related to disabling SVG
- Bug 16403: Set search parameters for Disconnect
- Bug 16446: Update FTE bridge #1 fingerprint
- Bug 16430: Allow DNS names with _ characters in them (fixes
- nytimes.com) (Tor patch backport)
Changes for v4.5.1 - v4.5.2
- All Platforms
- Update Tor to 0.2.6.9
- Update OpenSSL to 1.0.1n
- Update HTTPS-Everywhere to 5.0.5
- Update NoScript to 2.6.9.26
- Update Torbutton to 1.9.2.6
- Bug 15984: Disabling Torbutton breaks the Add-ons Manager
- Bug 14429: Make sure the automatic resizing is disabled
- Translation updates
- Bug 16130: Defend against logjam attack
- Bug 15984: Disabling Torbutton breaks the Add-ons Manager
Changes for v4.5 - v4.5.1
- All Platforms
- Update Firefox to 31.7.0esr
- Update meek to 0.18
- Update Tor Launcher to 0.2.7.5
- Translation updates only
- Update Torbutton to 1.9.2.3
- Bug 15837: Show descriptions if unchecking custom mode
- Bug 15927: Force update of the NoScript UI when changing security level
- Bug 15915: Hide circuit display if it is disabled.
- Translation updates
- Bug 15945: Disable NoScript's ClearClick protection for now
- Bug 15933: Isolate by base (top-level) domain name instead of FQDN
- Bug 15857: Fix file descriptor leak in updater that caused update failures
- Bug 15899: Fix errors with downloading and displaying PDFs
- Windows
- Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- Build System
- Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Changes for v4.0.8 - v4.5
- All Platforms
- Update Tor to 0.2.6.7 with additional patches:
- Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
- Update NoScript to 2.6.9.22
- Update HTTPS-Everywhere to 5.0.3
- Bug 15689: Resume building HTTPS-Everywhere from git tags
- Update meek to 0.17
- Include obfs4proxy 0.0.5
- Use obfs4proxy for obfs2, obfs3, obfs4, and ScrambleSuit bridges
- Pluggable Transport Dependency Updates:
- Bug 15265: Switch go.net repo to golang.org/x/net
- Bug 15448: Use golang 1.4.2 for meek and obs4proxy
- Update Tor Launcher to 0.2.7.4. Changes since 0.2.7.0.2 in 4.0.8:
- Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
- Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
- Bug 13576: Don't strip "bridge" from the middle of bridge lines
- Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
- Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
- Bug 14336: Fix navigation button display issues on some wizard panes
- Bug 15657: Display the host:port of any connection faiures in bootstrap
- Bug 15704: Do not enable network if wizard is opened
- Update Torbutton to 1.9.2.2. Changes since 1.7.0.2 in 4.0.8:
- Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
- Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
- Bug 7255: Warn users about maximizing windows
- Bug 8400: Prompt for restart if disk records are enabled/disabled.
- Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
- (Many Circuit UI issues were fixed during 4.5; see release changelogs for those).
- Bug 9387: Security Slider 1.0
- Include descriptions and tooltip hints for security levels
- Notify users that the security slider exists
- Make use of new SVG, jar, and MathML prefs
- Bug 9442: Add New Circuit button to Torbutton menu
- Bug 9906: Warn users before closing all windows and performing new identity.
- Bug 10216: Add a pref to disable the local tor control port test
- Bug 10280: Strings and pref for preventing plugin initialization.
- Bug 11175: Remove "About Torbutton" from onion menu.
- Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
- Bug 11449: Fix new identity error if NoScript is not enabled
- Bug 13019: Change locale spoofing pref to boolean
- Bug 13079: Option to skip control port verification
- Bug 13406: Stop directing users to download-easy.html.en on update
- Bug 13650: Clip initial window height to 1000px
- Bugs 13751+13900: Remove SafeCache cache isolation code in favor of C++ patch
- Bug 13766: Set a 10 minute circuit lifespan for non-content requests
- Bug 13835: Option to change default Tor Browser homepage
- Bug 13998: Handle changes in NoScript 2.6.9.8+
- Bug 14100: Option to hide NetworkSettings menuitem
- Bug 14392: Don't steal input focus in about:tor search box
- Bug 14429: Provide automatic window resizing, but disable for now
- Bug 14448: Restore Torbutton menu operation on non-English localizations
- Bug 14490: Use Disconnect search in about:tor search box
- Bug 14630: Hide Torbutton's proxy settings tab.
- Bug 14631: Improve profile access error msgs (strings for translation).
- Bugs 14632+15334: Display Cookie Protections only if disk records are enabled
- Bug 15085: Fix about:tor RTL text alignment problems
- Bug 15460: Ensure FTP urls use content-window circuit isolation
- Bug 15502: Wipe blob: URIs on New Identity
- Bug 15533: Restore default security level when restoring defaults
- Bug 15562: Bind SharedWorkers to thirdparty pref
- Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
- Bug 4100: Raise HTTP Keep-Alive back to 115 second default
- Bug 5698: Fix branding in "About Torbrowser" window
- Bug 10280: Don't load any plugins into the address space by default
- Bug 11236: Fix omnibox order for non-English builds
- Also remove Amazon, eBay and bing; add Youtube and Twitter
- Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
- Bug 12430: Provide a preference to disable remote jar: urls
- Bugs 12827+15794: Create preference to disable SVG images (for security slider)
- Bug 13019: Prevent Javascript from leaking system locale
- Bug 13379: Sign our MAR update files
- Bug 13439: No canvas prompt for content callers
- Bug 13548: Create preference to disable MathML (for security slider)
- Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
- Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
- Bug 13788: Fix broken meek in 4.5-alpha series
- Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
- Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
- Bug 14392: Make about:tor hide itself from the URL bar
- Bug 14490: Make Disconnect the default omnibox search engine
- Bug 14631: Improve startup error messages for filesystem permissions issues
- Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
- Bug 14937: Hard-code meek and flashproxy node fingerprints
- Bug 15029: Don't prompt to include missing plugins
- Bug 15406: Only include addons in incremental updates if they actually update
- Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
- Bug 15502: Isolate blob: URI scope to URL domain; block WebWorker access
- Bug 15562: Disable Javascript SharedWorkers due to third party tracking
- Bug 15757: Disable Mozilla video statistics API extensions
- Bug 15758: Disable Device Sensor APIs
- Linux
- Bug 12468: Only print/write log messages if launched with --debug
- Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
- Bug 13717: Make sure we use the bash shell on Linux
- Bug 15672: Provide desktop app registration+unregistration for Linux
- Bug 15747: Improve start-tor-browser argument handling
- Windows
- Bug 3861: Begin signing Tor Browser for Windows the Windows way
- Bug 10761: Fix instances of shutdown crashes
- Bug 13169: Don't use /dev/random on Windows for SSP
- Bug 14688: Create shortcuts to desktop and start menu by default (optional)
- Bug 15201: Disable 'runas Administrator' codepaths in updater
- Bug 15539: Make installer exe signatures reproducibly removable
- Mac
- Bug 10138: Switch to 64bit builds for MacOS
- Here is the list of changes since the last 4.5 alpha (4.5a5):
- All Platforms
- Update Tor to 0.2.6.7 with additional patches:
- Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
- Update NoScript to 2.6.9.22
- Update HTTPS-Everywhere to 5.0.3
- Bug 15689: Resume building HTTPS-Everywhere from git tags
- Update meek to 0.17
- Update obfs4proxy to 0.0.5
- Update Tor Launcher to 0.2.7.4
- Bug 15704: Do not enable network if wizard is opened
- Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
- Bug 13576: Don't strip "bridge" from the middle of bridge lines
- Bug 15657: Display the host:port of any connection faiures in bootstrap
- Update Torbutton to 1.9.2.2
- Bug 15562: Bind SharedWorkers to thirdparty pref
- Bug 15533: Restore default security level when restoring defaults
- Bug 15510: Close Tor Circuit UI control port connections on New Identity
- Bug 15472: Make node text black in circuit status UI
- Bug 15502: Wipe blob URIs on New Identity
- Bug 15795: Some security slider prefs do not trigger custom checkbox
- Bug 14429: Disable automatic window resizing for now
- Bug 4100: Raise HTTP Keep-Alive back to 115 second default
- Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
- Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
- Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
- Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
- Bug 15794: Crash on some pages with SVG images if SVG is disabled
- Bug 15562: Disable Javascript SharedWorkers due to third party tracking
- Bug 15757: Disable Mozilla video statistics API extensions
- Bug 15758: Disable Device Sensor APIs
- Linux
- Bug 15747: Improve start-tor-browser argument handling
- Bug 15672: Provide desktop app registration+unregistration for Linux
- Windows
- Bug 15539: Make installer exe signatures reproducibly removable
- Bug 10761: Fix instances of shutdown crashes
Changes for v4.5-alpha-2 - v4.5-alpha-3
- All Platforms
- Update Firefox to 31.4.0esr
- Update Tor to 0.2.6.2-alpha
- Update NoScript to 2.6.9.10
- Update HTTPS Everywhere to 5.0developement.2
- Update meek to 0.15
- Update Torbutton to 1.8.1.3
- Bug 13998: Handle changes in NoScript 2.6.9.8+
- Bug 14100: Option to hide NetworkSettings menuitem
- Bug 13079: Option to skip control port verification
- Bug 13835: Option to change default Tor Browser homepage
- Bug 11449: Fix new identity error if NoScript is not enabled
- Bug 13881: Localize strings for tor circuit display
- Bug 9387: Incorporate user feedback
- Bug 13671: Fixup for circuit display if bridges are used
- Translation updates
- Update Tor Launcher 0.2.7.1
- Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
- Translation updates
- Bug 13379: Sign our MAR files
- Bug 13788: Fix broken meek in 4.5-alpha series
- Bug 13439: No canvas prompt for content callers
Changes for v4.5-alpha-1 - v4.5-alpha-2
- All Platforms
- Update Firefox to 31.3.0esr
- Update NoScript to 2.6.9.5
- Update HTTPS Everywhere to 5.0developement.1
- Update Torbutton to 1.8.1.2
- Bug 13672: Make circuit display optional
- Bug 13671: Make bridges visible on circuit display
- Bug 9387: Incorporate user feedback
- Bug 13784: Remove third party authentication tokens
- Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)
Changes for v4.0.1 - v4.5-alpha-1
- All Platforms
- Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
- Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
- Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
- Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
- Bug 13301: Prevent extensions incompatibility error after upgrades
- Bug 13460: Fix MSVC compilation issue
- Bug 13504: Remove stale bridges from default bridge set
- Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
- Update Tor to 0.2.6.1-alpha
- Update NoScript to 2.6.9.3
- Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
- Bug 12903: Include obfs4proxy pluggable transport
- Update Torbutton to 1.8.1.1
- Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
- Bug 13019: Synchronize locale spoofing pref with our Firefox patch
- Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
- Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
- Bug 13651: Prevent circuit-status related UI hang.
- Bug 13666: Various circuit status UI fixes
- Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
- Bug 13746: Properly update third party isolation pref if disabled from UI
- Windows
- Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
- Bug 13558: Fix crash on Windows XP during download folder changing
- Bug 13091: Make app name "Tor Browser" instead of "Tor"
- Bug 13594: Fix update failure for Windows XP users
- Mac
- Bug 10138: Switch to 64bit builds for MacOS
Changes for v2.3.25-13 - v2.3.25-14
- Update Firefox to 17.0.10esr
- https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
- Update LibPNG to 1.6.6
- Update NoScript to 2.6.8.4
- Update HTTPS-Everywhere to 3.4.2
- Firefox patch changes:
- Hide infobar for missing plugins. (closes: #9012)
- Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
- Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
- Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
- Remove polipo and privoxy from the banned ports list. (closes: #3661)
- misc: Fix a potential memory leak in the Image Cache isolation
- misc: Fix a potential crash if OS theme information is ever absent
Changes for v2.3.25-12 - v2.3.25-13
- Update Firefox to 17.0.9esr
- https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
- Update HTTPS Everywhere to 3.4.1
- Update NoScript to 2.6.7.1
- Remove extraneous libevent libraries (closes: #9727)
- Enable GCC hardening for Tor
- Firefox patch changes:
- ◦- Disable filtered results in Startpage omnibox (closes: #8839)
Changes for v2.3.25-8 - v2.3.25-10
- Update Firefox to 17.0.7esr
- Update zlib to 1.2.8
- Update HTTPS Everywhere to 3.2.2
- Update NoScript to 2.6.6.6
Changes for v2.3.25-6 - v2.3.25-8
- Update Firefox to 17.0.6esr
- Update HTTPS Everywhere to 3.2
- Update Torbutton to 1.5.2
- Update libpng to 1.5.15
- Update NoScript to 2.6.6.1
- Firefox patch changes:
- Apply font limits to @font-face local() fonts and disable fallback
- rendering for @font-face. (closes: #8455)
- Use Optimistic Data SOCKS handshake (improves page load performance).
- (closes: #3875)
- Honor the Windows theme for inverse text colors (without leaking those
- colors to content). (closes: #7920)
- Increase pipeline randomization and try harder to batch pipelined
- requests together. (closes: #8470)
- Fix an image cache isolation domain key misusage. May fix several image
- cache related crash bugs with New Identity, exit, and certain websites.
- (closes: #8628)
- Torbutton changes:
- Allow session restore if the user allows disk actvity (closes: #8457)
- Remove the Display Settings panel and associated locales (closes: #8301)
- Fix "Transparent Torification" option. (closes: #6566)
- Fix a hang on New Identity. (closes: #8642)
- Build changes:
- Fetch our source deps from an https mirror (closes: #8286)
- Create watch scripts for syncing mirror sources and monitoring mirror
- integrity (closes: #8338)
Changes for v2.3.25-4 - v2.3.25-5
- Update Firefox to 17.0.4esr
- Update NoScript to 2.6.5.8
- Update HTTPS Everywhere to 3.1.4
- Fix non-English language bundles to have the correct branding
- Firefox patch changes:
- Remove "This plugin is disabled" barrier
- This improves the user experience for HTML5 Youtube videos:
- They "silently" attempt to load flash first, which was not so silent
- with this barrier in place.
- Disable NoScript's HTML5 media click-to-play barrier
- Fix a New Identity hang and/or crash condition
- Fix crash with Drag + Drop on Windows
- Torbutton changes:
- Fix Drag+Drop crash by using a new TBB drag observer
- Fix XML/E4X errors with Cookie Protections
- Don't clear cookies at shutdown if user wants disk history
- Leave IndexedDB and Offline Storage disabled.
- Clear DOM localStorage on New Identity.
- Don't strip "third party" HTTP auth from favicons
- Localize the "Spoof english" button strings
- Ask user for confirmation before enabling plugins
- Emit private browsing session clearing event on "New Identity"
Changes for v2.3.25-2 - v2.3.25-4
- Update Firefox to 17.0.3esr
- Downgrade OpenSSL to 1.0.0k
- Update libpng to 1.5.14
- Update NoScript to 2.6.5.7
- Firefox patch changes:
- Exempt remote @font-face fonts from font limits (and prefer them).
- (closes: #8270)
- Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
- they should not count towards our CSS font count limits. Moreover,
- if a CSS font-family rule lists any remote fonts, those fonts are
- preferred over the local fonts, so we do not reduce the font count
- for that rule.
- This vastly improves rendering and typography for many websites.
- Disable WebRTC in Firefox build options. (closes: #8178)
- WebRTC isn't slated to be enabled until Firefox 18, but the code
- was getting compiled in already and is capable of creating UDP Sockets
- and bypassing Tor. We disable it from build as a safety measure.
- Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
- This causes our browser pref changes to appear as defaults. It also
- means that future updates of TBB should preserve user pref settings.
- Fix a use-after-free that caused crashing on MacOS (closes: #8234)
- Eliminate several redundant, useless, and deprecated Firefox pref settings
- Report Firefox 17.0 as the Tor Browser user agent
- Use Firefox's click-to-play barrier for plugins instead of NoScript
- Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
- This fixes a SOCKS race condition with our SOCKS autoport configuration
- and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
- settings per URL now, which resulted in a proxy error for
- check.torproject.org if we lost the race.
- Torbutton was updated to 1.5.0. The following issues were fixed:
- Remove old toggle observers and related code (closes: #5279)
- Simplify Security Preference UI and associated pref updates (closes: #3100)
- Eliminate redundancy in our Flash/plugin disabling code (closes: #7470)
- Leave most preferences under Tor Browser's control (closes: #3944)
- Disable toggle-on-startup and crash detection logic (closes: #7974)
- Disable/remove toggle-mode code and related observers (closes: #5379)
- Add menu hint to Torbutton icon (closes: #6431)
- Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
- Perform version check every time there's a new tab. (closes: #6096)
- Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
- misc: Allow WebGL and DOM storage.
- misc: Disable independent Torbutton updates
- misc: Change the recommended SOCKSPort to 9150 (to match TBB)
- The following Firefox patch changes are also included in this release:
- Isolate image cache to url bar domain (closes: #5742 and #6539)
- Enable DOM storage and isolate it to url bar domain (closes: #6564)
- Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
- Misc preference changes:
- Disable DOM performance timers (dom.enable_performance) (closes: #6204)
- Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
- Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
- Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)
Changes for v2.3.25-1 - v2.3.25-2
- Update Firefox to 10.0.12esr
- Update Libevent to 2.0.21-stable
- Update HTTPS Everywhere to 3.1.2
- Update NoScript to 2.6.4.2
Changes for v2.2.39-5 - v2.3.25-1
- Update Tor to 0.2.3.25
- Update Firefox 10.0.11esr
- Update Vidalia to 0.2.21
- Update NoScript to 2.6.2
Changes for v2.2.39-4 - v2.2.39-5
- Update Firefox to 10.0.10esr
- Update NoScript to 2.5.9
Changes for v2.2.39-3 - v2.2.39-4
- Update Firefox patches to prevent crashing (closes: #7128)
- Update HTTPS Everywhere to 3.0.2
- Update NoScript to 2.5.8
Changes for v2.2.39-1 - v2.2.39-3
- Update Firefox to 10.0.9esr
- Update Torbutton to 1.4.6.3
- Update NoScript to 2.5.7
- Update HTTPS Everywhere to 2.2.2
- Update libpng to 1.5.13
Changes for v2.2.38-2 - v2.2.39-1
- Update Tor to 0.2.2.39
- Update NoScript to 2.5.4
Changes for v2.2.38-1 - v2.2.38-2
- Update Firefox to 10.0.7esr
- Update Libevent to 2.0.20-stable
- Update NoScript to 2.5.2
- Update HTTPS Everywhere to 2.2.1
Changes for v2.2.37-2 - v2.2.38-1
- Update Tor to 0.2.2.38
- Update NoScript to 2.5
- Update HTTPS Everywhere to 2.1
Changes for v2.2.37-2 - v2.3.20 alpha 1
- Update Tor to 0.2.3.20-rc
- Update NoScript to 2.5
- Change the urlbar search engine to Startpage
- Firefox patch updates:
- Fix the Tor Browser SIGFPE crash bug
- Add a redirect API for HTTPS-Everywhere
- Enable WebGL (as click-to-play only)
Changes for v2.2.35-11 - v2.2.35-12
- Update OpenSSL to 1.0.1c
- Update Libevent to 2.0.19-stable
- Update zlib to 1.2.7
- Update NoScript to 2.4.1
Changes for v2.2.35-10 - v2.2.35-11
- Security release to stop TorBrowser from bypassing SOCKS proxy DNS configuration
- New Firefox patches:
- Prevent WebSocket DNS leak (closes: #5741)
- Fix a race condition that could be used to link browsing sessions together when using new identity from Tor Browser (closes: #5715)
- Remove extraneous BetterPrivacy settings from prefs.js (closes: #5722)
- Fix the mozconfig options for OS X so that it really builds everything with clang instead of llvm-gcc
Changes for v2.3.25-2 - v2.3.25-3
- Update OpenSSL to 1.0.1d
- Update HTTPS Everywhere to 3.1.3
- Update NoScript to 2.6.4.4