New Release: Tor Browser 10.0a5

[Update 8/20/2020 13:05 UTC]: We encountered updater issues for all alpha users that have been auto-updating the alpha series for months. We changed the accepted MAR channel ID to torbrowser-torproject-alpha as we are on an alpha channel. The assumption was that enough time passed since we changed it last time to torbrowser-torproject-release,torbrowser-torproject-alpha but it turns out that change did not get applied for yet unknown reasons. Bug 40092 is tracking the bug. Workaround: change the torbrowser-torproject-release in your update-settings.ini (in the Browser's code directory, which depends on you operating system) file to torbrowser-torproject-alpha and the update should get applied successfully. Alternatively, downloading a fresh alpha copy of Tor Browser works as well. Sorry for the inconvenience.

[Update 8/21/2020 02:45 UTC]: Please provide steps to reproduce errors when reporting them. Thank you for all of the reports so far.

Tor Browser 10.0a5 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

We are happy to announce the first alpha for desktop users based on Firefox 78 ESR. The Android version is under active development and will be available in the coming weeks.

We announced nightly builds based on ESR 78 a while ago and used the time since then to adjust our toolchains, finish our proxy audit, and fix a lot of issues that came down on us due to the switch to this new major Firefox version on the ESR channel.

Tor Browser 10.0a5 ships with Firefox 78.1.0esr but there are a lot more changes that we included compared to the previous alpha version. As it is the first alpha based on the new major ESR version we expect more bugs than usual. Please report them, either here or on Gitlab, or essentially with any other means that would reach us. We are in particular interested in potential proxy bypasses which our proxy audit missed.

The full changelog since Tor Browser 10.0a4 is:

  • Windows + OS X + Linux
    • Update Firefox to 78.1.0esr
    • Update Tor to 0.4.4.4-rc
    • Update Tor Launcher to 0.2.22
      • Bug 32174: Replace XUL <textbox> with <html:input></li>
      • Bug 33890: Rename XUL files to XHTML
      • Bug 33862: Fix usages of createTransport API
      • Bug 33906: Fix Tor-Launcher issues for Firefox 75
      • Bug 33998: Use CSS grid instead of XUL grid
      • Bug 34164: Tor Launcher deadlocks during startup (Firefox 77)
      • Bug 34206: Tor Launcher button labels are missing (Firefox 76)
    • Translations update
    • Update NoScript to 11.0.37
    • Bug 11154: Disable TLS 1.0 (and 1.1) by default
    • Bug 16931: Sanitize the add-on blocklist update URL
    • Bug 17374: Disable 1024-DH Encryption by default
    • Bug 30682: Disable Intermediate CA Preloading
    • Bug 30812: Exempt about: pages from Resist Fingerprinting
    • Bug 31918 + 33533 + 40024 + 40037: Rebase Tor Browser esr68 patches for ESR 78
    • Bug 32612: Update MAR_CHANNEL_ID for the alpha
    • Bug 32886: Separate treatment of @media interaction features for desktop and android
    • Bug 33534: Review FF release notes from FF69 to latest (FF78)
    • Bug 33697: Use old search config based on list.json
    • Bug 33721: PDF Viewer is not working in the safest security level
    • Bug 33734: Set MOZ_NORMANDY to False
    • Bug 33737: Fix aboutDialog.js error for Firefox nightlies
    • Bug 33848: Disable Enhanced Tracking Protection
    • Bug 33851: Patch out Parental Controls detection and logging
    • Bug 33852: Clean up about:logins to not mention Sync
    • Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
    • Bug 33862: Fix usages of createTransport API
    • Bug 33867: Disable password manager and password generation
    • Bug 33890: Rename XUL files to XHTML
    • Bug 33892: Add brandProductName to brand.dtd and brand.properties
    • Bug 33962: Uplift patch for bug 5741 (dns leak protection)
    • Bug 34125: API change in protocolProxyService.registerChannelFilter
    • Bug 40001: Generate tor-browser-brand.ftl when importing translations
    • Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils
    • Bug 40003: Adapt code for L10nRegistry API changes
    • Bug 40005: Initialize the identity UI before setting up the circuit display
    • Bug 40016: Update Snowflake to discover NAT type
    • Bug 40017: Audit Firefox 68-78 diff for proxy issues
    • Bug 40022: Update new icons in Tor Browser branding
    • Bug 40025: Revert add-on permissions due to Mozilla's 1560059
    • Bug 40036: Remove product version/update channel from #13379 patch
    • Bug 40038: Review RemoteSettings for ESR 78
    • Bug 40048: Disable various ESR78 features via prefs
    • Bug 40059: Verify our external helper patch is still working
    • Bug 40066: Update existing prefs for ESR 78 [tor-browser]
    • Bug 40073: Disable remote Public Suffix List fetching
    • Bug 40078: Backport patches for bug 1651680 for now
    • Translations update
  • Windows
    • Bug 33855: Don't use site's icon as window icon in Windows in private mode
    • Bug 40061: Omit the Windows default browser agent from the build
  • OS X
    • Bug 32252: Tor Browser does not display correctly in VMWare Fusion on macOS (mojave)
  • Build System
    • Windows + OS X + Linux
      • Bug 31845: Bump GCC version to 9.3.0
      • Bug 34011: Bump clang to 9.0.1
      • Bug 34014: Enable sqlite3 support in Python
      • Bug 34390: Don't copy DBM libraries anymore
      • Bug 34391: Remove unused --enable-signmar option
      • Bug 40004: Adapt Rust project for Firefox 78 ESR [tor-browser-build]
      • Bug 40005: Adapt Node project for Firefox 78 ESR [tor-browser-build]
      • Bug 40006: Adapt cbindgen for Firefox 78 ESR [tor-browser-build]
      • Bug 40037: Move projects over to clang-source [tor-browser-build]
      • Bug 40026: Fix full .mar creation for esr78 [tor-browser-build]
      • Bug 40027: Fix incremental .mar creation for esr78 [tor-browser-build]
      • Bug 40028: Do not reference unset env variables [tor-browser-build]
    • Windows
    • OS X
      • Bug 34229: Update macOS toolchain for Firefox 78 ESR
      • Bug 40003: Update cctools version for Firefox 78 ESR
      • Bug 40018: Add libtapi project for cctools
      • Bug 40019: Ship our own runtime library for macOS
    • Linux
      • Bug 34359: Adapt abicheck.cc to deal with newer GCC version
      • Bug 34386: Fix up clang compilation on Linux
Anonymous

August 20, 2020

Permalink

NS_ERROR_XPC_SECURITY_MANAGER_VETO: 2 browsing-context.js:914
_notifyDocShellDestroy resource://devtools/server/actors/targets/browsing-context.js:914
_onDocShellDestroy resource://devtools/server/actors/targets/browsing-context.js:808
observe resource://devtools/server/actors/targets/browsing-context.js:771
observe resource://devtools/server/actors/targets/parent-process.js:106

Anonymous

August 21, 2020

Permalink

when moving a tab (about:support):
Uncaught TypeError: event.target.classList is undefined
on_mouseover chrome://browser/content/tabbrowser-tab.js:288
handleEvent chrome://global/content/customElements.js:466
tabbrowser-tab.js:288:11
on_mouseover chrome://browser/content/tabbrowser-tab.js:288
handleEvent chrome://global/content/customElements.js:466

Anonymous

August 22, 2020

Permalink

'Join the discussion' in https://blog.torproject.org/new-release-tor-browser-953 is off, so i try it here:

https://blog.torproject.org/comment/288996#comment-288996
wtf (not verified) said:
Enterprise Policies are botched?
All Updates in Enterprise Policies are off but HTTSEverywhere tries downloading new rulesets?
https://blog.torproject.org/comment/289110#comment-289110
"sysrqb answering: HTTPS-Everywhere is not controlled by Enterprise Policies."

Funny. Question: what is "ExtensionUpdate Enable or disable automatic extension updates. / DisableSystemAddonUpdate Prevent the browser from installing and updating system add-ons."(about:policies#documentation)?

Further HTTPS-Everywhere updating with "Auto-update rulesets'"(HTTPSEverywhere menu) off and "Update Add-ons Automatically"(`about:addons`) unchecked!
Maybe(?) it has to do with -safe- deleting temporary files(.sql) after closing TBB.
This is new, DEFINITELY noseen in Firefox 68esr AND TBB unique!

Anonymous

August 22, 2020

Permalink

Why does tor fetch consensus & etc not from the guard? Arbitrary connections are really noisy with firewall.

Anonymous

August 24, 2020

Permalink

What happened to NoScript? I can't enable only the javascript from the domain I'm visiting. The only way to get JS now is to accept all JS. Someone please FIX, this is a fingerprinting and profile building nightmare!

Anonymous

August 24, 2020

Permalink

Colors still broken. Have been since late v7, early v8.
To reproduce (windows machine, currently w10-x64-pro but w7-64-pro did the same), change your system colors if they aren't already (my example: background is dark green, text is pale yellow). In win-10 this doesn't do anything unless you set your theme to a "high-contrast" setting.
Next, tell the tor browser (options->colors->use-system) to accept the System's color choices. Try toggling the "always use" setting if you like. Nothing happens. Nothing has happened for a few years now and I can't use TOR without welding goggles. This is frustrating beyond measure.

Anonymous

August 24, 2020

Permalink

During NI:
TypeError: this.document.location is null PurgeSessionHistoryChild.jsm:29:9
receiveMessage resource://gre/actors/PurgeSessionHistoryChild.jsm:29

Anonymous

August 24, 2020

Permalink

Tor has problems after hibernation, many connections time out, and:
Tor NOTICE: No circuits are opened. Relaxed timeout for circuit 306 (a Measuring circuit timeout 3-hop circuit in state waiting to see how other guards perform with channel state open) to 118750ms. However, it appears the circuit has timed out anyway.

Anonymous

August 25, 2020

Permalink

Sometimes Tor Browser corrupts headers (esr68 too):
Invalid header array: [{name:"server", value:"nginx"}, {name:"date", value:"Tue, 25 Aug 2020 09:51:45 GMT"}, {name:"content-type", value:"text/html; charset=UTF-8"}, {name:"last-modified", value:"Sat, 06 Jun 2020 03:06:30 GMT"}, {name:"vary", value:"Accept-Encoding"}, {name:"etag", value:"W/\"5edb0836-21c\""}, {name:"strict-transport-security", value:"max-age=31536000"}, {name:"x-frame-options", value:"SAMEORIGIN"}, {name:"x-xss-protection", value:"1;mode=block"}, {name:"x-content-type-options", value:"nosniff"}, {name:"referrer-policy", value:"origin"}, {name:"expect-ct", value:"max-age=0"}, {name:"expires", value:"Wed, 26 Aug 2020 09:51:45 GMT"}, {name:"cache-control", value:"max-age=86400"}, {name:"x-duckduckgo-locale", value:"en_US"}, {name:"content-encoding", value:"br"}, {name:"X-Firefox-Spdy", value:"h2"}, {name:"content-security-policy", value:"noscript-marker;media-src http:"}, (void 0)] WebRequest.jsm:122
applyChanges resource://gre/modules/WebRequest.jsm:122
applyChanges resource://gre/modules/WebRequest.jsm:1060
AsyncFunctionNext self-hosted:693