Closed eloquence closed 1 year ago
@eloquence Is this something you want the Web Team to work on or should we wait for a solution from the SecureDrop team?
I like the solution proposed by @Thorin-Oakenpants for detecting Tor Browser, since that resource URL will be present only in Tor Browser. There is a slight risk of Tor Project changing the filename, etc., but that risk can be there even with User Agents. Also, browsers have been discussing locking of any information leak through resource:// (which was mentioned in the original post as well) for quite some time. So I am definitely on board with checking the resource URL but I think maybe let's keep the User Agent check for detecting Tor as well. I wonder if the Tor Project has any official way of detecting whether it's a Tor Browser or not.
As of determining the OS itself, I think the solution mention by @Thorin-Oakenpants is used to check OS in chrome browser? Unless I read the code wrong. I agree that mostly android users would be using Chrome, but there might be firefox users too. In that case maybe we can still continue to use the User Agent information to determine if it's a mobile browser?
If everyone agrees, I can go ahead and create PRs. cc @harrislapiroff @eloquence
used to check OS in chrome browser?
nope. the source is chrome://
schema but only applies to gecko
So the logic is
the source is chrome:// schema but only applies to gecko
Thanks for clarifying.
some pseudo code for you
function get_isLatest() {
if (CanvasRenderingContext2D.prototype.hasOwnProperty("letterSpacing")) return true // FF115+ / TB13
if (CanvasRenderingContext2D.prototype.hasOwnProperty("direction")) {
if (Array(1).includes()) return true // FF102+ / TB12
}
return false
}
let isLatest = get_isLatest()
when TB13 is released you would drop the 102+ check and simply return false if not based on at least FF115
just hold off for a tiny bit - the TB detection is broken in the first public TB13 alpha (it wasn't in my 2 week old test build), so I'm in the process of resolving that upstream
@Thorin-Oakenpants any updates on this?
I do have a workaround for TB13 (not sure if it works on android, waiting for a TBA13), but it's not going to last forever, as dtd's are basically phased out. Am looking at TB coding something permanent
Let's go ahead and work on fixing this for current versions of Tor Browser (and get on the same page as SecureDrop) now and keep working on future version support with @Thorin-Oakenpants after that.
do you need me to do anything, or can you craft your own code and then give me a ping?
uugh .. https://github.com/arkenfox/TZP/commit/bec8f63dcd6fa57c91ca6fcee469ed3fcf595197
so in TB13+
chrome://browser/locale/aboutTBUpdate.dtd
doesn't cover all desktopschrome://branding/content/tor-styles.css
should (checked windows, linux, will check mac)nothing to hold you up here though, just letting know the current fixes/changes as we near TB13
As reported by @Thorin-Oakenpants in https://github.com/freedomofpress/securedrop/issues/6795, the logic to detect Tor Browser is currently broken - we're displaying the "You are not anonymous while using this browser!" warning message even to Tor Browser users, using latest Tor Browser. Thorin suggested an alternative detection method here; whichever method we use, we'll likely want to stay in sync between the
securedrop
andsecuredrop.org
repos.