New Release: Tor Browser 8.5a11

Tor Browser 8.5a11 is now available from the Tor Browser Alpha download page and also from our distribution directory.
Note: this is an alpha release: an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This new alpha release includes some bug fixes and improvements. Among other things, on the desktop side we improved the browser toolbar layout, replaced the security slider with a toolbar icon and added mechanisms to introduce new features to users. We also improved the screen reader accessibility on Windows and added the es-AR locale.
On the Android side, we started using the Tor Onion Proxy Library.
The full changelog since Tor Browser 8.5a10 is:
- All platforms
- Update Torbutton to 2.1.6
- Bug 22538+22513: Fix new circuit button for error pages
- Bug 29825: Intelligently add new Security Level button to taskbar
- Bug 29903: No WebGL click-to-play on the standard security level
- Bug 27484: Improve navigation within onboarding (strings)
- Bug 29768: Introduce new features to users (strings)
- Bug 29943: Use locales in AB-CD scheme to match Mozilla
- Bug 26498: Add locale: es-AR
- Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
- Translations update
- Update NoScript to 10.6.1
- Bug 29872: XSS popup with DuckDuckGo search on about:tor
- Bug 29916: Make sure enterprise policies are disabled
- Bug 26498: Add locale: es-AR
- Update Torbutton to 2.1.6
- Windows + OS X + Linux
- Windows
- Bug 27503: Improve screen reader accessibility
- Android
- Bug 27609 (and child bugs): Use Tor Onion Proxy Library
- Bug 29312: Bump Tor to 0.3.5.8
- Bug 29859: Disable HLS support for now
- Bug 28622: Update Tor Browser icon for mobile
- Bug 29238: Prevent crash on Android after update
- Bug 29982: Add additional safe guards against crashes during bootstrap
- Bug 29906: Fix crash on older devices due to missing API
- Bug 29858: Load onboarding panels after bootstrapping is done
- Bug 28329: Improve bootstrapping experience
- Bug 30016: Localize bootstrap-/bridge-related strings for mobile
- Build System
> during a search …
> during a search "DuckDuckGo Onion" [3g2upl4pq6kufc4m.onion] connects to its clearnet version duckduckgo.com (to load the search result document icons, etc.).
Can someone verify this behavior, please?
I don't have Wireshark…
I don't have Wireshark. There is at least one connection when the security slider is on Safer. On the search results page, a complete version of the following tag is in a sidebar module that shows a summary of Wikipedia's page about the search term:
[geshifilter-code]<img class="module--about__img" source="https://duckduckgo.com/...">[/geshifilter-code]
Procedure:
1. Open the page. Right-click on the page -> Inspect Element -> Network tab. Refresh the page. Click the header of the Domain column to sort it. Look for duckduckgo.com.
2. Right-click on the page -> View Page Info -> Media tab. Click the header of the Address column to sort it. Look for duckduckgo.com.
3. Back in Developer Tools, change from the Network tab to the Inspector tab. In the search box of the Inspector tab, search for substrings of the addresses you found. Ignore "a" tags because prefetching is disabled in TBB's default about:config.
There's more. Single words…
There's more. Single words sometimes display a horizontal bar of tiles above the results. The bar is in this tag:
<div id="zero_click_wrapper" class="zci-wrap">
Images in the bar are in tags that look like this:
<img class="tile__icon js-lazyload" src="<a href="https://duckduckgo.com/i/....jpg"" rel="nofollow">https://duckduckgo.com/i/....jpg"</a>; data-src="<a href="https://duckduckgo.com/i/....jpg">" rel="nofollow">https://duckduckgo.com/i/....jpg"></a>;
Please report this issue in…
Please report this issue in a bug report here https://trac.torproject.org/projects/tor/newticket
You need to make an account to post bug reports.
This is a problem in…
This is a problem in DuckDuckGo, not in Tor Project software.
Thanks for the great work! …
Thanks for the great work!
Anonymity protection feature request:
Like with a mixed HTTPS+HTTP content, consider warning the TB user when an Onion site opens a "clearnet" connection in background (onion+clearnet mix).
Example: during a search "DuckDuckGo Onion" [3g2upl4pq6kufc4m.onion] connects to its clearnet version duckduckgo.com (to load the search result document icons, etc.).
(DDG Onion: one might as well just use the clearnet DDG site... What info is transmitted outside of Tor? Possibly a traffic correlation risk for the Tor users?)