tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 4cb2ef62c4b884377bac1b4c1f5633b69dba843d
parent 9a065a86d8133b31cbccad984d573e6051de0bff
Author: Morgan <morgan@torproject.org>
Date:   Thu, 16 Feb 2023 17:13:55 +0100

BB 42716: Disable unwanted about: pages

Diffstat:

Mbrowser/components/about/AboutRedirector.cpp | 2++


Mbrowser/components/about/components.conf | 2+-


Mdocshell/base/nsAboutRedirector.cpp | 25+++++++++++++++++--------


Mdocshell/build/components.conf | 12+++++++-----


Mtoolkit/content/jar.mn | 8++++++--


5 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/browser/components/about/AboutRedirector.cpp b/browser/components/about/AboutRedirector.cpp
@@ -96,9 +96,11 @@ static const RedirEntry kRedirMap[] = {
     {"rights", "https://www.mozilla.org/about/legal/terms/firefox/",
      nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
          nsIAboutModule::URI_MUST_LOAD_IN_CHILD},
+#ifndef BASE_BROWSER_VERSION
     {"robots", "chrome://browser/content/aboutRobots.xhtml",
      nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
          nsIAboutModule::ALLOW_SCRIPT},
+#endif
     {"sessionrestore", "chrome://browser/content/aboutSessionRestore.xhtml",
      nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::HIDE_FROM_ABOUTABOUT |
          nsIAboutModule::IS_SECURE_CHROME_UI},
diff --git a/browser/components/about/components.conf b/browser/components/about/components.conf
@@ -25,7 +25,7 @@ pages = [
     'reader',
     'restartrequired',
     'rights',
-    'robots',
+    # Removed 'robots'. tor-browser#42831.
     'sessionrestore',
     'settings',
     'tabcrashed',
diff --git a/docshell/base/nsAboutRedirector.cpp b/docshell/base/nsAboutRedirector.cpp
@@ -146,10 +146,9 @@ static const RedirEntry kRedirMap[] = {
          nsIAboutModule::IS_SECURE_CHROME_UI},
     {"logging", "chrome://global/content/aboutLogging/aboutLogging.html",
      nsIAboutModule::ALLOW_SCRIPT},
-    {"logo", "chrome://branding/content/about.png",
-     nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-         // Linkable for testing reasons.
-         nsIAboutModule::MAKE_LINKABLE},
+    // Do not allow web pages to link to about:logo, which varies between
+    // channels. See tor-browser#43308.
+    // Moreover, it exposes firefox-specific branding.
     {"memory", "chrome://global/content/aboutMemory.xhtml",
      nsIAboutModule::ALLOW_SCRIPT},
     {"certificate", "chrome://global/content/certviewer/certviewer.html",
@@ -158,8 +157,10 @@ static const RedirEntry kRedirMap[] = {
          nsIAboutModule::URI_MUST_LOAD_IN_CHILD |
          nsIAboutModule::URI_CAN_LOAD_IN_PRIVILEGEDABOUT_PROCESS |
          nsIAboutModule::IS_SECURE_CHROME_UI},
+#ifndef BASE_BROWSER_VERSION
     {"mozilla", "chrome://global/content/mozilla.html",
      nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT},
+#endif
 #if !defined(ANDROID) && !defined(XP_WIN)
     {"webauthn", "chrome://global/content/aboutWebauthn.html",
      nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::IS_SECURE_CHROME_UI},
@@ -209,15 +210,17 @@ static const RedirEntry kRedirMap[] = {
     {"windows-messages", "chrome://global/content/aboutWindowsMessages.html",
      nsIAboutModule::ALLOW_SCRIPT},
 #endif
-#ifndef MOZ_GLEAN_ANDROID
+#ifdef MOZ_TELEMETRY_REPORTING
+#  ifndef MOZ_GLEAN_ANDROID
     {"glean", "chrome://global/content/aboutGlean.html",
-#  if !defined(NIGHTLY_BUILD) && defined(MOZILLA_OFFICIAL)
+#    if !defined(NIGHTLY_BUILD) && defined(MOZILLA_OFFICIAL)
      nsIAboutModule::HIDE_FROM_ABOUTABOUT |
-#  endif
+#    endif
          nsIAboutModule::ALLOW_SCRIPT},
-#endif
+#  endif
     {"telemetry", "chrome://global/content/aboutTelemetry.xhtml",
      nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::IS_SECURE_CHROME_UI},
+#endif
 #ifndef BASE_BROWSER_VERSION
     // Remove about:translations since translations are disabled.
     // See tor-browser#44045 and tor-browser#42872.
@@ -228,10 +231,16 @@ static const RedirEntry kRedirMap[] = {
          nsIAboutModule::URI_MUST_LOAD_IN_CHILD |
          nsIAboutModule::URI_CAN_LOAD_IN_PRIVILEGEDABOUT_PROCESS},
 #endif
+#ifndef BASE_BROWSER_VERSION
+    // We disable safe browsing and the data update mechanisms. So this page
+    // will be non-functional or at least unreliable.
     {"url-classifier", "chrome://global/content/aboutUrlClassifier.xhtml",
      nsIAboutModule::ALLOW_SCRIPT},
+#endif
+#ifdef MOZ_WEBRTC
     {"webrtc", "chrome://global/content/aboutwebrtc/aboutWebrtc.html",
      nsIAboutModule::ALLOW_SCRIPT},
+#endif
     {"crashparent", "about:blank", nsIAboutModule::HIDE_FROM_ABOUTABOUT},
     {"crashcontent", "about:blank",
      nsIAboutModule::HIDE_FROM_ABOUTABOUT |
diff --git a/docshell/build/components.conf b/docshell/build/components.conf
@@ -21,7 +21,7 @@ about_pages = [
     'logging',
     'logo',
     'memory',
-    'mozilla',
+    # Removed 'mozilla'. tor-browser#42831.
     'neterror',
     'networking',
     'performance',
@@ -30,15 +30,17 @@ about_pages = [
     'serviceworkers',
     'srcdoc',
     'support',
-    'telemetry',
-    'url-classifier',
-    'webrtc',
+    # Removed 'url-classifier'. tor-browser#42831.
 ]
 
 if buildconfig.substs['MOZ_WIDGET_TOOLKIT'] != 'android':
     about_pages.append('addons')
 if defined('MOZ_CRASHREPORTER'):
     about_pages.append('crashes')
+if defined('MOZ_TELEMETRY_REPORTING'):
+    about_pages.append('telemetry')
+if defined('MOZ_WEBRTC'):
+    about_pages.append('webrtc')
 if buildconfig.substs['MOZ_WIDGET_TOOLKIT'] != 'android':
     about_pages.append('profiles')
 # Remove about:translations since translations are disabled.
@@ -49,7 +51,7 @@ if buildconfig.substs['MOZ_WIDGET_TOOLKIT'] == 'android':
 if buildconfig.substs['MOZ_WIDGET_TOOLKIT'] == 'windows':
     about_pages.append('third-party')
     about_pages.append('windows-messages')
-if not defined('MOZ_GLEAN_ANDROID'):
+if defined('MOZ_TELEMETRY_REPORTING') and not defined('MOZ_GLEAN_ANDROID'):
     about_pages.append('glean')
 if buildconfig.substs['MOZ_WIDGET_TOOLKIT'] != 'android' and buildconfig.substs['MOZ_WIDGET_TOOLKIT'] != 'windows':
     about_pages.append('webauthn')
diff --git a/toolkit/content/jar.mn b/toolkit/content/jar.mn
@@ -24,6 +24,7 @@ toolkit.jar:
 #endif
    content/global/aboutServiceWorkers.js
    content/global/aboutServiceWorkers.xhtml
+#ifdef MOZ_WEBRTC
    content/global/aboutwebrtc/aboutWebrtc.css   (aboutwebrtc/aboutWebrtc.css)
    content/global/aboutwebrtc/aboutWebrtc.mjs    (aboutwebrtc/aboutWebrtc.mjs)
    content/global/aboutwebrtc/graph.mjs    (aboutwebrtc/graph.mjs)
@@ -32,19 +33,22 @@ toolkit.jar:
    content/global/aboutwebrtc/disclosure.mjs (aboutwebrtc/disclosure.mjs)
    content/global/aboutwebrtc/copyButton.mjs (aboutwebrtc/copyButton.mjs)
    content/global/aboutwebrtc/aboutWebrtc.html (aboutwebrtc/aboutWebrtc.html)
+#endif
    content/global/aboutRestricted/aboutRestricted.mjs (aboutRestricted/aboutRestricted.mjs)
    content/global/aboutRestricted/aboutRestricted.html (aboutRestricted/aboutRestricted.html)
    content/global/aboutRestricted/aboutRestricted.css (aboutRestricted/aboutRestricted.css)
    content/global/aboutSupport.js
 *  content/global/aboutSupport.xhtml
-#ifndef MOZ_GLEAN_ANDROID
+#ifdef MOZ_TELEMETRY_REPORTING
+#  ifndef MOZ_GLEAN_ANDROID
    content/global/aboutGlean.js
    content/global/aboutGlean.html
    content/global/aboutGlean.css
-#endif
+#  endif
    content/global/aboutTelemetry.js
    content/global/aboutTelemetry.xhtml
    content/global/aboutTelemetry.css
+#endif
    content/global/aboutUrlClassifier.js
    content/global/aboutUrlClassifier.xhtml
    content/global/aboutUrlClassifier.css