[tor-commits] [Git][tpo/applications/mullvad-browser][mullvad-browser-149.0a1-16.0-2] 4 commits: BB 44772: Disable efficient randomization for canvases.

Pier Angelo Vendrame pushed to branch mullvad-browser-149.0a1-16.0-2 at The Tor Project / Applications / Mullvad Browser

Commits:

f8c9c503

by Pier Angelo Vendrame at 2026-03-24T18:49:28+01:00

BB 44772: Disable efficient randomization for canvases.

Always use the regular randomization algorithm, instead.

899e00ed

by Pier Angelo Vendrame at 2026-03-24T18:49:35+01:00

fixup! BB 43525: Skip Remote Settings for search engine customization.

BB 44757: Fix search engine tests for Firefox 149.

d09b8270

by Pier Angelo Vendrame at 2026-03-24T18:49:43+01:00

fixup! BB 40925: Implemented the Security Level component

BB 44757: Fix search engine tests for Firefox 149.

43a1de0d

by Pier Angelo Vendrame at 2026-03-24T18:49:49+01:00

fixup! Firefox preference overrides.

BB 44763: Disable WebGPU until audited.

4 changed files:

browser/app/profile/001-base-profile.js
dom/canvas/CanvasUtils.cpp
toolkit/components/search/tests/xpcshell/test_base_browser.js
toolkit/components/search/tests/xpcshell/test_security_level.js

Changes:

browser/app/profile/001-base-profile.js

@@ -492,6 +492,8 @@ pref("privacy.resistFingerprinting.skipEarlyBlankFirstPaint", true);
  pref("webgl.disable-fail-if-major-performance-caveat", true);
  // tor-browser#16404: disable until we investigate it further (#22333)
  pref("webgl.enable-webgl2", false);
 +// tor-browser#44763: disable WebGPU until audited.
 +pref("dom.webgpu.enabled", false);
  pref("browser.link.open_newwindow.restriction", 0); // Bug 9881: Open popups in new tabs (to avoid fullscreen popups)
  // tor-browser#42767: Disable offscreen canvas until verified it is not fingerprintable
  pref("gfx.offscreencanvas.enabled", false);

dom/canvas/CanvasUtils.cpp

@@ -382,14 +382,9 @@ ImageExtraction ImageExtractionResult(dom::HTMLCanvasElement* aCanvasElement,
      return ImageExtraction::Placeholder;
+   }
 -  if (ownerDoc->ShouldResistFingerprinting(
 -          RFPTarget::EfficientCanvasRandomization) &&
 -      GetCanvasExtractDataPermission(aPrincipal) !=
 -          nsIPermissionManager::ALLOW_ACTION) {
 -    return ImageExtraction::EfficientRandomize;
 -  }
+-
 -  if ((ownerDoc->ShouldResistFingerprinting(RFPTarget::CanvasRandomization) ||
 +  if ((ownerDoc->ShouldResistFingerprinting(
 +           RFPTarget::EfficientCanvasRandomization) ||
 +       ownerDoc->ShouldResistFingerprinting(RFPTarget::CanvasRandomization) ||
         ownerDoc->ShouldResistFingerprinting(RFPTarget::WebGLRandomization)) &&
        GetCanvasExtractDataPermission(aPrincipal) !=
            nsIPermissionManager::ALLOW_ACTION) {

toolkit/components/search/tests/xpcshell/test_base_browser.js

@@ -10,6 +10,10 @@
  "use strict";
 +const { SearchService } = ChromeUtils.importESModule(
 +  "moz-src:///toolkit/components/search/SearchService.sys.mjs"
 +);
++
  const expectedURLs = {
    ddg: "https://duckduckgo.com/?q=test",
    "ddg-html": "https://html.duckduckgo.com/html/?q=test",
@@ -21,24 +25,23 @@ const expectedURLs = {
  const defaultEngine = "ddg";
  add_setup(async function setup() {
 -  await Services.search.init();
 +  await SearchService.init();
  });
  add_task(async function test_listEngines() {
 -  const { engines } =
 -    await Services.search.wrappedJSObject._fetchEngineSelectorEngines();
 +  const { engines } = await SearchService._fetchEngineSelectorEngines();
    const foundIdentifiers = engines.map(e => e.identifier);
    Assert.deepEqual(foundIdentifiers, Object.keys(expectedURLs));
  });
  add_task(async function test_default() {
    Assert.equal(
 -    (await Services.search.getDefault()).id,
 +    (await SearchService.getDefault()).id,
      defaultEngine,
      `${defaultEngine} is our default search engine in normal mode.`
    );
    Assert.equal(
 -    (await Services.search.getDefaultPrivate()).id,
 +    (await SearchService.getDefaultPrivate()).id,
      defaultEngine,
      `${defaultEngine} is our default search engine in PBM.`
    );
@@ -46,7 +49,7 @@ add_task(async function test_default() {
  add_task(function test_checkSearchURLs() {
    for (const [id, url] of Object.entries(expectedURLs)) {
 -    const engine = Services.search.getEngineById(id);
 +    const engine = SearchService.getEngineById(id);
      const foundUrl = engine.getSubmission("test").uri.spec;
      Assert.equal(foundUrl, url, `The URL of ${engine.name} is not altered.`);
+   }
@@ -54,7 +57,7 @@ add_task(function test_checkSearchURLs() {
  add_task(async function test_iconsDoesNotFail() {
    for (const id of Object.keys(expectedURLs)) {
 -    const engine = Services.search.getEngineById(id);
 +    const engine = SearchService.getEngineById(id);
      // No need to assert anything, as in case of error this method should throw.
      await engine.getIconURL();
+   }

toolkit/components/search/tests/xpcshell/test_security_level.js

@@ -8,14 +8,18 @@
  "use strict";
 +const { SearchService } = ChromeUtils.importESModule(
 +  "moz-src:///toolkit/components/search/SearchService.sys.mjs"
 +);
++
  const expectedURLs = {
    ddg: "https://html.duckduckgo.com/html?q=test",
  };
  add_task(async function test_securityLevel() {
 -  await Services.search.init();
 +  await SearchService.init();
    for (const [id, url] of Object.entries(expectedURLs)) {
 -    const engine = Services.search.getEngineById(id);
 +    const engine = SearchService.getEngineById(id);
      const foundUrl = engine.getSubmission("test").uri.spec;
      Assert.equal(foundUrl, url, `${engine.name} is in HTML mode.`);
+   }