TBB 12: Customatization of settings via /etc/torbrowser.d/user.js does not work anymore

Since over a year, I have successfully been using /etc/torbrowser.d/user.js as least-invasive method to let TBB’s security slider default to “Hardest” mode (Qubes-Whonix):

user_pref("extensions.torbutton.security_slider", 1);

With latest TBB update, this unfortunately does not work anymore. Some observations:
Setting seems to haved changed to browser.security_level.security_slider, hasn’t it?

user_pref("browser.security_level.security_slider", 1);

, but still does not work.
The user.js is successfully copied from /etc/torbrowser.d/user.js to ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js with disposable start. If Browser is closed and restarted (without killing the whole disposable), then security slider is set correctly to “Hardest”.
Hence I assume some sort of race condition between:

  1. copy user.js over to TBB config folder
  2. TBB start

Might anybody confirm, reject or suggest a possible fix?

1 Like

That I find highly unlikely. The copy operation is “guaranteed” to have completed before Tor Browser is started. You could reproduce that manually to confirm.

Generic Bug Reproduction might be required here.

  1. “Forget” about Whonix.

  2. Find out how to customize Tor Browser using a settings file prior ever a Tor Browser first start. Without Whonix being involved. For example on Debian.

Once potential bugs have been reported, fixed upstream in Tor Browser, once it’s clear how to do this manually, it would be likely be easy to update tb-updater to do the same.

1 Like

Thanks for the quick reply @Patrick .
And you are right, this is a more general issue. I tested with vanilla Tor Browser wihout any Whonix participation.

On the first (fresh) start of Tor Browser, an existent user.js inside profile.default (which at this point is almost empty) is ignored. Any subsequent start of Tor Browser (with now fully initialized profile) will consider user.js though. I am wondering

  • if there had been a change since TBB 12
  • if TBB is supposed to support default configurations via user.js with fresh profile, which is important for Qubes disposable templates, as each time a new fresh profile is created

Before v12 everything worked for. Having had a look at an earlier post from you (*1) and the script in Whonix /usr/bin/torbrowser, I assume this basically is supposed to work?

Do you have more info on the topic? If helpful, will also request clarification in the tor forums.

*1: https:///forums.whonix.org/t/tor-browser-customization-using-user-js-for-example-for-i2pbrowser/13719

Probably the Tor Browser developers changed something.

The question to ask as per https://www.whonix.org/wiki/Free_Support_Principle would be kinda like:

How to pre-configure Tor Browser using a configuration file before Tor Browser’s first start?

How to set the Tor Browser security slider to maximum using a configuration file before Tor Browser’s first start?

I don’t know if upstream, the developers of Tor Browser are considering this the user.js / set security slider to maximum using a settings file use case. user.js is probably a feature by upstream’s upstream, which is Mozilla Firefox which hasn’t been considered / tested to not being broken by the Tor Browser developers.

It used to work but /usr/bin/torbrowser cannot do any black magic. It can only automate which at least in principle can also be done manually. If it cannot be done manually, then I cannot help to make it more comfortable / automated.

Maybe policies.json (which is also a Firefox feature) (which was mentioned here Tor Browser Customization using user.js (for example for i2pbrowser)) could be used as a replacement for user.js.

Folder tor-browser/Browser/defaults/pref might be an option too nowadays. In context of Qubes-Whonix that translates to:

  • ~/.tb/tor-browser/Browser/defaults/pref
  • /var/cache/tb-binary/.tb/tor-browser/Browser/defaults/pref

But I couldn’t make that work either.

This could be related to the way the Tor Browser built-in (it’s no longer an add-on nowadays) security slider is initialized, it it respects user.js or Browser/defaults/pref.