1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
========================================================================================================================
Build Notes v2 :
========================================================================================================================
- Compress tar.xz
tar cfJ <archive.tar.xz> <files>
- Files to remove :
crash-reporter...
crash-reporter...
removed-files
update...
update...
update...
browser/feature/webcomp...
browser/feature/webcomp...
browser/feature/...
- Tor files to remove :
Classic removal plus
https-everywhere addon
profile.meek-http-helper...
- Patching release :
>browser.omni.ja.chrome.browser.content.browser.preferences.in-content.privacy.origin (patch with winrar)
Tor : patch mozilla.cfg
- Tor windows :
Install it to desktop then get the files
(Only the lnk file is a new file compared to compressed version)
remove lnk file
add link.vbs
add bat file
- Tor mac :
Under mac, mount and extract all content to a folder
Copy by command .DS_Store (from dmg to folder)
run "codesign --remove-signature Tor\ Browser.app".
With disk utils, create a dmg from a folder (nocompression rw)
We are converting iso-dmg to dmg...
========================================================================================================================
JS Note & Debugging :
========================================================================================================================
// ----------
// CSP Note :
// ----------
//
// Syntax :
// One or more sources can be allowed for the default-src policy:
// Content-Security-Policy: default-src <source> <source>;
// Content-Security-Policy: default-src <source>;
//
// default-src is a fallback for :
// - child-src
// - connect-src
// - font-src
// - frame-src
// - img-src
// - manifest-src
// - media-src
// - object-src
// - prefetch-src
// - script-src
// - style-src
// - worker-src
//
// <source> can be one of the following:
//
// 'none'
// Refers to the empty set; that is, no URLs match. The single quotes are required.
//
// 'self'
// Refers to the origin from which the protected document is being served,
// including the same URL scheme and port number. You must include the single quotes.
// Some browsers specifically exclude blob and filesystem from source directives.
// Sites needing to allow these content types can specify them using the Data attribute.
//
// 'unsafe-inline'
// Allows the use of inline resources, such as inline <script> elements, javascript:
// URLs, inline event handlers, and inline <style> elements. You must include the single quotes.
//
// 'unsafe-eval'
// Allows the use of eval() and similar methods for creating code from strings.
// You must include the single quotes.
//
// <scheme-source>
// A schema such as 'http:' or 'https:'. The colon is required, single quotes
// shouldn't be used. You can also specify data schemas (not recommended).
// - data: Allows data: URIs to be used as a content source. This is insecure;
// An attacker can also inject arbitrary data: URIs.
// Use this sparingly and definitely not for scripts.
// - mediastream: Allows mediastream: URIs to be used as a content source.
// - blob: Allows blob: URIs to be used as a content source.
// - filesystem: Allows filesystem: URIs to be used as a content source.
//
// <host-source>
// Internet hosts by name or IP address, as well as an optional URL scheme and/or port number.
// The site's address may include an optional leading wildcard (the asterisk character, '*'),
// and you may use a wildcard (again, '*') as the port number, indicating that all
// legal ports are valid for the source.
// Examples:
// - http://*.example.com: Matches all attempts to load from any subdomain of example.com using the http: URL scheme.
// - mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
// - https://store.example.com: Matches all attempts to access store.example.com using https:.
//
// Sources :
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
// -----------------
// Process Isolation
// -----------------
//
// Pref : Separate process for protocol
// defaultPref("extensions.webextensions.protocol.remote", true); //default true
//
// Pref : Separate process for protocol extension
// defaultPref("extensions.webextensions.remote", false); //default true
//
// Process remote (separating process) can partially firewall extension by
// denying access to some moz-extension (extension internal url like settings page)
// but this is not reliable not usable for a purpose of firewalling
// Setting this to false will break moz-extension URI loading
// unless other process sandboxing and extension remoting prefs are changed.
// Note, extensions.webextensions.protocol.remote=false is for
// debugging purposes only. With process-level sandboxing, child
// processes (specifically content and extension processes), will
// not be able to load most moz-extension URI's when the pref is
// set to false.
// ------------------
// Restricted Domains
// ------------------
//
// "extensions.webextensions.restrictedDomains"
//
// gHacks set this to empty ""... this is list of blocked domain for ext.
// Default value :
// "accounts-static.cdn.mozilla.net,accounts.firefox.com,addons.cdn.mozilla.net,addons.mozilla.org,
// api.accounts.firefox.com,content.cdn.mozilla.net,content.cdn.mozilla.net,discovery.
// addons.mozilla.org,input.mozilla.org,install.mozilla.org,oauth.accounts.firefox.
// com,profile.accounts.firefox.com,support.mozilla.org,sync.services.
// mozilla.com,testpilot.firefox.com"
//
// Managed in
// AddonManagerWebAPI.cpp
// WebExtensionPolicy.cpp
//
// Check function (When fail directly return deny) :
//
// WebExtensionPolicy::IsRestrictedURI
// - Check againt restrictedDomains (false-allow) domains->Contains
// - Check if IsValidSite (deny access) (false-allow)
// --- Check if empty string --(false-allow)
// --- Check https/http --(false-allow)
// --- Check SSL --(false-allow)
// --- Allow those domain directly --(true---deny)
// "addons.mozilla.org"
// "discovery.addons.mozilla.org"
// "testpilot.firefox.com"
// --- If pref "extensions.webapi.testing" --(true---deny)
// is true, it allow access to other
// sites list
// --- Return false --(false-allow)
// - Return false (false-allow)
// -----------------
// Other Possibility
// -----------------
//
// Other possibility (securefox extension) compare requests to url... filter etc...
//
// Other possibility... recompile and make it a native feature... (may be for futur version)
// Just invert the code to be !domains->Contains and thus allow only listed domain
//
// Other hidden setting
// int dom.ipc.keepProcessesAlive.extension //hidden settings
//
// Conclusion : patching binary "IsRestrictedURI" function OR build own version
// Durable solution is to rebuild... this feature is paused until futur versions
//
// ---------------------------------------
// Pref : CSP Settings For Extensions I/II
// ---------------------------------------
//
// Default Value : "
// script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
// object-src 'self' https://* moz-extension: blob: filesystem:;
// "
//
// Default Deny Value : "
// default-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
// script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
// object-src 'self' moz-extension: blob: filesystem:;
// "
//
// Strict Deny Value : "
// default-src 'self' moz-extension: blob: filesystem:;
// script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
// object-src 'self' moz-extension: blob: filesystem:;
// "
//
// Super Strict Deny Value : "
// default-src 'none';
// script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
// object-src 'self' moz-extension: blob: filesystem:;
// "
|
