New Release: Tor Browser 9.0a6

Update 6/9 0600UTC: Added another known issue.

Tor Browser 9.0a6 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This is the first alpha release based on Firefox ESR68, and therefore contains several important changes such as the rebasing of our Firefox patches, toolchain updates, integration of Torbutton directly into the browser and updates to Tor Launcher to make it compatible with ESR68.

If you find any issue with this release, please help us by reporting them so we can fix as much as we can before the first stable release based on ESR68, which is planned for October 22.

Known issues:

  • Tor Browser 9.0a6 is not reproducible on some platforms right now: We have issues on 32bit Linux, Windows, and Android. Those are planned to be fixed in the next alpha release, though, to give the usual guarantees reproducible builds aim to provide.
  • New Identity and the bridge configuration in the browser are not easily accessible anymore as we removed the onion button. We are currently working on a replacement for both: New Identity will be exposed directly in the toolbar and the bridge configuration gets integrated in the Firefox settings. For New Identity please use the shortcut (Ctrl+Shift+U) for now or the item in the hamburger menu.
  • We already have a number of known tickets we need to work on in the coming weeks. The most important ones are tagged with the tbb-9.0-must-alpha keyword. Moreover, we have accumulated Firefox 68 ESR related issues over the time that can easily be queried with our ff68-esr keyword.

The full changelog since Tor Browser 9.0a5 is:

  • All platforms
    • Update Firefox to 68.1.0esr
    • Update NoScript to 11.0.3
      • Bug 26847: NoScript pops up a full-site window for XSS warning
      • Bug 31287: NoScript leaks browser locale
    • Bug 30429: Rebase patches for Firefox 68 ESR
    • Bug 10760: Integrate Torbutton into Tor Browser directly
    • Bug 25856: Remove XUL overlays from Torbutton
    • Bug 31322: Fix about:tor assertion failure debug builds
    • Bug 31520: Remove monthly giving banner from Tor Browser
    • Bug 29430: Add support for meek_lite bridges to bridgeParser
    • Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
    • Bug 30683: Prevent detection of locale via some *.properties
    • Bug 31298: Backport patch for #24056
    • Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
    • Bug 27601: Browser notifications are not working anymore
    • Bug 30845: Make sure internal extensions are enabled
    • Bug 28896: Enable extensions in private browsing by default
    • Bug 31563: Reload search extensions if extensions.enabledScopes has changed
    • Bug 31396: Fix communication with NoScript for security settings
    • Bug 31142: Fix crash of tab and messing with about:newtab
    • Bug 29049: Backport JS Poison Patch
    • Bug 25214: Canvas data extraction on locale pdf file should be allowed
    • Bug 30657: Locale is leaked via title of link tag on non-html page
    • Bug 31015: Disabling SVG hides UI icons in extensions
    • Bug 31357: Retire Tom's default obfs4 bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.5
    • Update Tor Launcher to 0.2.19.3
      • Bug 29197: Remove use of overlays
      • Bug 31300: Modify Tor Launcher so it is compatible with ESR68
      • Bug 31487: Modify moat client code so it is compatible with ESR68
      • Bug 31488: Moat: support a comma-separated list of transports
      • Translations update
    • Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
    • Bug 31251: Security Level button UI polish
    • Bug 31344: Register SecurityLevelPreference's 'unload' callback
    • Bug 12774: Selecting meek in the browser UI is broken
    • Build System:
  • Windows
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 31141: Fix typo in font.system.whitelist
    • Backport fix for bug 1572844 to fix broken build
  • OS X
  • Linux
    • Bug 31403: Bump snowflake commit to cd650fa009
  • Android
    • Bug 31010: Rebase mobile patches for Fennec 68
    • Bug 31010: Don't use addTrustedTab() on mobile
  • Build System:
    • All Platforms:
      • Bug 30585: Provide standalone clang 8 project across all platforms
      • Bug 30376: Use Rust 1.34 for Tor Browser 9
      • Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
      • Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
      • Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
    • Windows
      • Bug 30322: Windows toolchain update for Firefox 68 ESR
        • Bug 28716: Create mingw-w64-clang toolchain
        • Bug 28238: Adapt firefox and fxc2 projects for Windows builds
        • Bug 28716: Optionally omit timestamp in PE header
        • Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
        • Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
      • Bug 9898: Provide clean fix for strcmpi issue in NSPR
    • OS X
      • Bug 30323: MacOS toolchain update for Firefox 68 ESR
      • Bug 31467: Switch to clang for cctools project
      • Bug 31465: Adapt tor-browser-build projects for macOS notarization
    • Linux
      • Bug 30321: Linux toolchain update for Firefox ESR 68
        • Bug 30736: Install yasm from wheezy-backports
        • Bug 31447: Don't install Python just for Mach
      • Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop.
    • Android
      • Bug 30324: Android toolchain update for Fennec 68
        • Bug 31173: Update android-toolchain project to match Firefox
        • Bug 31389: Update Android Firefox to build with Clang
        • Bug 31388: Update Rust project for Android
        • Bug 30665: Get Firefox 68 ESR working with latest android toolchain
        • Bug 30460: Update TOPL project to use Firefox 68 toolchain
        • Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
      • Bug 28753: Use Gradle with --offline when building the browser part

It's not triggered, since it's not one that can be denied. It's listed as a new permission in the "other" group when viewing the permissions on the play store page. The name may vary by device but for me it's "change your audio settings."

Anonymous

September 09, 2019

Permalink

the new alpha 9.0a6 does not start at all in debian 10, not from source folder and not from command line either. it pauses as if it wants to start but nothing happens?
fresh install from torproject, sig verified, linux 64bit

Anonymous

September 11, 2019

Permalink

Tor Browser 9.0 Alpha 6 does not use all localization files, except the Connecting window all other strings on Welcome page and menus instead on Macedonian are on English!
* Also I have reported this on ticket #30468 4 days ago.

Anonymous

September 14, 2019

Permalink

Received unexpected result type undefined, falling back to typed transition. WebNavigation.jsm:217
onURLBarUserStartNavigation resource://gre/modules/WebNavigation.jsm:217
observe resource://gre/modules/WebNavigation.jsm:136
_notifyStartNavigation resource:///modules/UrlbarInput.jsm:1364
_loadURL resource:///modules/UrlbarInput.jsm:1240
handleCommand resource:///modules/UrlbarInput.jsm:446
_initPasteAndGo resource:///modules/UrlbarInput.jsm:1333

We are again seeing
DEBUG_FLAGS="-g -gcodeview"
in win64 release. Pls, fix it.

Where are you seeing that and what do you mean with "again"?

Doh, about:buildconfig, obviously.

Yeah, but that does not say anything about what actually gets shipped to users. Hence I was asking. The debug info is not included in the bundles distributed (which is why we exempted libc++.a from getting created with debug info), so we are good here _and_ we can make progress on https://trac.torproject.org/projects/tor/ticket/31546.

Compile without them and prove shipped builds are not affected (by comparing hashes). FWIW, it was a confirmed bug in Firefox.

It's not affected in the sense that the debug parts get stripped and are not included in the binary we ship. Care to share a link to that bug here?

HTTPSE doesn't update rulesets on Tor Browser update :(

What do you mean? What is supposed to happen but does not actually happen?

Updated TBB and got HTTPS-E 2019.6.17 with rulesets, which updated to 2019.9.13 only after several days. And there is no way to force them updating.

RemoteWebProgress failed to call onStatusChange: [Exception... "JavaScript component does not have a method named: "onStatusChange"'JavaScript component does not have a method named: "onStatusChange"' when calling method: [nsIWebProgressListener::onStatusChange]" nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)" location: "JS frame :: resource://gre/modules/RemoteWebProgress.jsm :: _callProgressListeners :: line 119" data: no]
2 RemoteWebProgress.jsm:121
_callProgressListeners resource://gre/modules/RemoteWebProgress.jsm:121
onStatusChange resource://gre/modules/RemoteWebProgress.jsm:172

How do you get this error message (in a reproducible way)?

I can't disclose that website, but this error doesn't appear on stable.

Okay. If you find some way to reproduce that you can share, let us know. Otherwise there is not much we can do about it.

I haven't been using TB much in the past few months, but I did a fresh install today because I encountered minor issues I thought could have been caused by a faulty update through the browser's update prompt... happened to notice that NoScript, HTTPS Everywhere, and any other "built-in" extensions don't seem to be present. Is this intentional? [did not change any settings; launched right after clean install] Security Level is present on the toolbar, however...

Thx.

What makes you believe they are not present? Are they visible on the about:addons page? Note we re-did the toolbar in Tor Browser 8.5 where where we hid those two extensions from the toolbar (but they are still there).

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

3 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.