TBB design doc: Fix charset and section breakage. (e11e70a85)

projects/torbrowser/design/index.html.en
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"/></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"/>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Feb 23 2013</p></div></div><hr/></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#idp3348944">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversarygoals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversarypositioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">4.8. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title"><a id="idp3348944"/>1. Introduction</h2></div></div></div><p>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Feb 23 2013</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#idp1435840">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversarygoals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversarypositioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">4.8. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp5757152">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp1435840"></a>1. Introduction</h2></div></div></div><p>
 
 This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
 <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser 2.3.25-4
@@ -13,27 +13,27 @@ describe a reference implementation of a Private Browsing Mode that defends
 against active network adversaries, in addition to the passive forensic local
 adversary currently addressed by the major browsers.
 
-  </p><div class="sect2" title="1.1. Browser Component Overview"><div class="titlepage"><div><div><h3 class="title"><a id="components"/>1.1. Browser Component Overview</h3></div></div></div><p>
+  </p><div class="sect2" title="1.1. Browser Component Overview"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>
 
-The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/">Mozilla's Extended
+The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended
 Support Release (ESR) Firefox branch</a>. We have a <a class="link" href="#firefox-patches" title="4.8. Description of Firefox Patches">series of patches</a> against this browser to
 enhance privacy and security. Browser behavior is additionally augmented
-through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/master">Torbutton
+through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/master" target="_top">Torbutton
 extension</a>, though we are in the process of moving this
-functionality into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js">change
+functionality into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js" target="_top">change
 a number of Firefox preferences</a> from their defaults.
 
    </p><p>
 
 To help protect against potential Tor Exit Node eavesdroppers, we include
-<a class="ulink" href="https://www.eff.org/https-everywhere">HTTPS-Everywhere</a>. To
+<a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To
 provide users with optional defense-in-depth against Javascript and other
-potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/">NoScript</a>. To protect against
-PDF-based Tor proxy bypass and to improve usability, we include the <a class="ulink" href="https://addons.mozilla.org/en-us/firefox/addon/pdfjs/">PDF.JS</a>
-extension. We also modify <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/extension-overrides.js">several
+potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. To protect against
+PDF-based Tor proxy bypass and to improve usability, we include the <a class="ulink" href="https://addons.mozilla.org/en-us/firefox/addon/pdfjs/" target="_top">PDF.JS</a>
+extension. We also modify <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/extension-overrides.js" target="_top">several
 extension preferences</a> from their defaults.
 
-   </p></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title"><a id="DesignRequirements"/>2. Design Requirements and Philosophy</h2></div></div></div><p>
+   </p></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
 
 The Tor Browser Design Requirements are meant to describe the properties of a
 Private Browsing Mode that defends against both network and local forensic
@@ -57,9 +57,9 @@ browser distribution.
       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
       "OPTIONAL" in this document are to be interpreted as described in
-      <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt">RFC 2119</a>.
+      <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
 
-  </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"/>2.1. Security Requirements</h3></div></div></div><p>
+  </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
 
 The security requirements are primarily concerned with ensuring the safe use
 of Tor. Violations in these properties typically result in serious risk for
@@ -67,7 +67,7 @@ the user in terms of immediate deanonymization and/or observability. With
 respect to browser support, security requirements are the minimum properties
 in order for Tor to support the use of a particular browser.
 
-   </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy
 Obedience</strong></span></a><p>The browser
 MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State
 Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window
@@ -96,7 +96,7 @@ to permissions issues with access to swap, implementations MAY choose to leave
 it out of scope, and/or leave it to the Operating System/platform to implement
 ephemeral-keyed encrypted swap.
 
-</p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"/>2.2. Privacy Requirements</h3></div></div></div><p>
+</p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
 
 The privacy requirements are primarily concerned with reducing linkability:
 the ability for a user's activity on one site to be linked with their activity
@@ -113,7 +113,7 @@ second-level DNS name.  For example, for mail.google.com, the origin would be
 google.com. Implementations MAY, at their option, restrict the url bar origin
 to be the entire fully qualified domain name.
 
-   </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
 Identifier Unlinkability</strong></span></a><p>
 
 User activity on one url bar origin MUST NOT be linkable to their activity in
@@ -140,12 +140,12 @@ authentication tokens and browser state and obtain a fresh identity.
 Additionally, the browser SHOULD clear linkable state by default automatically
 upon browser restart, except at user option.
 
-  </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"/>2.3. Philosophy</h3></div></div></div><p>
+  </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
 
 In addition to the above design requirements, the technology decisions about
 Tor Browser are also guided by some philosophical positions about technology.
 
-   </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
 
 The existing way that the user expects to use a browser must be preserved. If
 the user has to maintain a different mental model of how the sites they are
@@ -156,7 +156,7 @@ result. Worse, they may just stop using the browser, assuming it is broken.
 
       </p><p>
 
-User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">failures
+User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
 of Torbutton</a>: Even if users managed to install everything properly,
 the toggle model was too hard for the average user to understand, especially
 in the face of accumulating tabs from multiple states crossed with the current
@@ -188,16 +188,16 @@ to reduce cross-origin fingerprinting linkability.
 
        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
 
-<a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100">Another
+<a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
 failure of Torbutton</a> was the options panel. Each option
 that detectably alters browser behavior can be used as a fingerprinting tool.
-Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html">SHOULD be
+Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">SHOULD be
 disabled in the mode</a> except as an opt-in basis. We SHOULD NOT load
 system-wide and/or Operating System provided addons or plugins.
 
      </p><p>
 Instead of global browser privacy options, privacy decisions SHOULD be made
-<a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI">per
+<a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
 url bar origin</a> to eliminate the possibility of linkability
 between domains. For example, when a plugin object (or a Javascript access of
 window.plugins) is present in a page, the user should be given the choice of
@@ -209,9 +209,9 @@ If the user has indicated they wish to record local history storage, these
 permissions can be written to disk. Otherwise, they MUST remain memory-only. 
      </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
 
-Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/">AdBlock
-Plus</a>, <a class="ulink" href="http://requestpolicy.com/">Request Policy</a>,
-<a class="ulink" href="http://www.ghostery.com/about">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/">Sharemenot</a> are to be
+Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
+Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>,
+<a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
 avoided. We believe that these addons do not add any real privacy to a proper
 <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts
 should be focused on general solutions that prevent tracking by all
@@ -238,13 +238,13 @@ We believe that if we do not stay current with the support of new web
 technologies, we cannot hope to substantially influence or be involved in
 their proper deployment or privacy realization. However, we will likely disable
 high-risk features pending analysis, audit, and mitigation.
-      </p></li></ol></div></div></div><div class="sect1" title="3. Adversary Model"><div class="titlepage"><div><div><h2 class="title"><a id="adversary"/>3. Adversary Model</h2></div></div></div><p>
+      </p></li></ol></div></div></div><div class="sect1" title="3. Adversary Model"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>
 
 A Tor web browser adversary has a number of goals, capabilities, and attack
 types that can be used to illustrate the design requirements for the
 Tor Browser. Let's start with the goals.
 
-   </p><div class="sect2" title="3.1. Adversary Goals"><div class="titlepage"><div><div><h3 class="title"><a id="adversarygoals"/>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
+   </p><div class="sect2" title="3.1. Adversary Goals"><div class="titlepage"><div><div><h3 class="title"><a id="adversarygoals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
 Tor, causing the user to directly connect to an IP of the adversary's
 choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
 happily settle for the ability to correlate something a user did via Tor with
@@ -283,10 +283,10 @@ In some cases, the adversary may opt for a heavy-handed approach, such as
 seizing the computers of all Tor users in an area (especially after narrowing
 the field by the above two pieces of information). History records and cache
 data are the primary goals here.
-     </p></li></ol></div></div><div class="sect2" title="3.2. Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h3 class="title"><a id="adversarypositioning"/>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
+     </p></li></ol></div></div><div class="sect2" title="3.2. Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h3 class="title"><a id="adversarypositioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
 The adversary can position themselves at a number of different locations in
 order to execute their attacks.
-    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
+    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
 The adversary can run exit nodes, or alternatively, they may control routers
 upstream of exit nodes. Both of these scenarios have been observed in the
 wild.
@@ -306,7 +306,7 @@ Users in Internet cafes, for example, face such a threat. In addition, in
 countries where simply using tools like Tor is illegal, users may face
 confiscation of their computer equipment for excessive Tor usage or just
 general suspicion.
-     </p></li></ol></div></div><div class="sect2" title="3.3. Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"/>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
+     </p></li></ol></div></div><div class="sect2" title="3.3. Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
 
 The adversary can perform the following attacks from a number of different 
 positions to accomplish various aspects of their goals. It should be noted
@@ -316,7 +316,7 @@ CSS elements, and plugins. Others are performed by ad servers seeking to
 correlate users' activity across different IP addresses, and still others are
 performed by malicious agents on the Tor network and at national firewalls.
 
-    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
+    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
 
 The browser contains multiple facilities for storing identifiers that the
 adversary creates for the purposes of tracking users. These identifiers are
@@ -329,7 +329,7 @@ even TLS Session IDs.
 An adversary in a position to perform MITM content alteration can inject
 document content elements to both read and inject cookies for arbitrary
 domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
-<a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html">active
+<a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
 sidejacking</a>. In addition, the ad networks of course perform tracking
 with cookies as well.
 
@@ -337,7 +337,7 @@ with cookies as well.
 
 These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlikability</a> design requirements.
 
-     </p></li><li class="listitem"><a id="fingerprinting"/><span class="command"><strong>Fingerprint users based on browser
+     </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
 attributes</strong></span><p>
 
 There is an absurd amount of information available to websites via attributes
@@ -356,10 +356,10 @@ to linkability between visits.
 
 </p><p>
 
-The <a class="ulink" href="https://panopticlick.eff.org/about.php">Panopticlick study
-done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29">Shannon
+The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study
+done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon
 entropy</a> - the number of identifying bits of information encoded in
-browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data">result data</a> is
+browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is
 definitely useful, and the metric is probably the appropriate one for
 determining how identifying a particular browser property is. However, some
 quirks of their study means that they do not extract as much information as
@@ -375,7 +375,7 @@ final.
 Despite the uncertainty, all fingerprinting attacks leverage the following
 attack vectors:
 
-     </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
+     </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
 
 Properties of the user's request behavior comprise the bulk of low-hanging
 fingerprinting targets. These include: User agent, Accept-* headers, pipeline
@@ -390,11 +390,11 @@ objects such as window.screen and window.navigator to extract information
 about the useragent. 
 
 Also, Javascript can be used to query the user's timezone via the
-<code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13">WebGL</a> can
+<code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
 reveal information about the video card in use, and high precision timing
-information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf">fingerprint the CPU and
+information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
 interpreter speed</a>. In the future, new JavaScript features such as
-<a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/">Resource
+<a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource
 Timing</a> may leak an unknown amount of network timing related
 information.
 
@@ -408,7 +408,7 @@ fingerprintability. Additionally, plugins are capable of extracting font lists,
 interface addresses, and other machine information that is beyond what the
 browser would normally provide to content. In addition, plugins can be used to
 store unique identifiers that are more difficult to clear than standard
-cookies.  <a class="ulink" href="http://epic.org/privacy/cookies/flash.html">Flash-based
+cookies.  <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
 cookies</a> fall into this category, but there are likely numerous other
 examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
 settings of the browser. 
@@ -416,7 +416,7 @@ settings of the browser.
 
      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
 
-<a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries">CSS media
+<a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
 queries</a> can be inserted to gather information about the desktop size,
 widget size, display type, DPI, user agent type, and other information that
 was formerly available only to Javascript.
@@ -429,11 +429,11 @@ browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
 install malware and surveillance software. An adversary with physical access
 can perform similar actions. Regrettably, this last attack capability is
 outside of the browser's ability to defend against, but it is worth mentioning
-for completeness. In fact, <a class="ulink" href="http://tails.boum.org/contribute/design/">The Tails system</a> can
+for completeness. In fact, <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can
 provide some defense against this adversary, and it does include the Tor
 Browser.
 
-     </p></li></ol></div></div></div><div class="sect1" title="4. Implementation"><div class="titlepage"><div><div><h2 class="title"><a id="Implementation"/>4. Implementation</h2></div></div></div><p>
+     </p></li></ol></div></div></div><div class="sect1" title="4. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>
 
 The Implementation section is divided into subsections, each of which
 corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
@@ -446,15 +446,15 @@ In some cases, the implementation meets the design requirements in a non-ideal
 way (for example, by disabling features). In rare cases, there may be no
 implementation at all. Both of these cases are denoted by differentiating
 between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
-Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report">Tor bug tracker</a>
+Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
 are typically linked for these cases.
 
-  </p><div class="sect2" title="4.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"/>4.1. Proxy Obedience</h3></div></div></div><p>
+  </p><div class="sect2" title="4.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>
 
 Proxy obedience is assured through the following:
-   </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem">Firefox proxy settings, patches, and build flags
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox proxy settings, patches, and build flags
  <p>
-Our <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js">Firefox
+Our <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js" target="_top">Firefox
 preferences file</a> sets the Firefox proxy settings to use Tor directly as a
 SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
 <span class="command"><strong>network.proxy.socks_version</strong></span>,
@@ -462,10 +462,10 @@ SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dn
 <span class="command"><strong>network.dns.disablePrefetch</strong></span>.
  </p><p>
 
-We also patch Firefox in order to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch">prevent
+We also patch Firefox in order to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch" target="_top">prevent
 a DNS leak due to a WebSocket rate-limiting check</a>. As stated in the
 patch, we believe the direct DNS resolution performed by this check is in
-violation of the W3C standard, but <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=751465">this DNS proxy leak
+violation of the W3C standard, but <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=751465" target="_top">this DNS proxy leak
 remains present in stock Firefox releases</a>.
 
  </p><p>
@@ -491,11 +491,11 @@ as smb urls and other custom protocol handlers are all blocked.
  </p><p>
 
 Numerous other third parties have also reviewed and tested the proxy settings
-and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/">decloak.net</a>. 
+and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/" target="_top">decloak.net</a>. 
 
  </p></li><li class="listitem">Disabling plugins
 
- <p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/">bypass proxy settings</a>. This includes
+ <p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
 the ability to make UDP sockets and send arbitrary data independent of the
 browser proxy settings.
  </p><p>
@@ -510,7 +510,7 @@ restricted from automatic load through Firefox's click-to-play preference
  </p><p>
 In addition, to reduce any unproxied activity by arbitrary plugins at load
 time, and to reduce the fingerprintability of the installed plugin list, we
-also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">prevent the load of any plugins except
+also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except
 for Flash and Gnash</a>.
 
  </p></li><li class="listitem">External App Blocking
@@ -518,7 +518,7 @@ for Flash and Gnash</a>.
 External apps, if launched automatically, can be induced to load files that
 perform network activity. In order to prevent this, Torbutton installs a
 component to 
-<a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js">
+<a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">
 provide the user with a popup</a> whenever the browser attempts to
 launch a helper app. 
 
@@ -526,30 +526,30 @@ Additionally, due to an issue with Ubuntu Unity, url-based drag and drop is
 filtered by this component. Unity was pre-fetching URLs without using the
 browser's proxy settings during a drag action, even if the drop was ultimately
 canceled by the user. A similar issue was discovered on Mac OS.
-  </p></li></ol></div></div><div class="sect2" title="4.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"/>4.2. State Separation</h3></div></div></div><p>
+  </p></li></ol></div></div><div class="sect2" title="4.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>
 Tor Browser State is separated from existing browser state through use of a
 custom Firefox profile. Furthermore, plugins are disabled, which prevents
 Flash cookies from leaking from a pre-existing Flash directory.
-   </p></div><div class="sect2" title="4.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"/>4.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5523344"/>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+   </p></div><div class="sect2" title="4.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5528304"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 
 The User Agent MUST (at user option) prevent all disk records of browser activity.
 The user should be able to optionally enable URL history and other history
 features if they so desire. 
 
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5524704"/>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5529664"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 
 We achieve this goal through several mechanisms. First, we set the Firefox
 Private Browsing preference
 <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. In addition, four Firefox patches are needed to prevent disk writes, even if
 Private Browsing Mode is enabled. We need to
 
-<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">prevent
+<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent
 the permissions manager from recording HTTPS STS state</a>,
-<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">prevent
+<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent
 intermediate SSL certificates from being recorded</a>,
-<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch">prevent
+<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch" target="_top">prevent
 download history from being recorded</a>, and
-<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch">prevent
+<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent
 the content preferences service from recording site zoom</a>.
 
 For more details on these patches, <a class="link" href="#firefox-patches" title="4.8. Description of Firefox Patches">see the
@@ -558,7 +558,7 @@ Firefox Patches section</a>.
     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
 
 As an additional defense-in-depth measure, we set the following preferences:
-<span class="command"><strong/></span>,
+<span class="command"><strong></strong></span>,
 <span class="command"><strong>browser.cache.disk.enable</strong></span>,
 <span class="command"><strong>browser.cache.offline.enable</strong></span>,
 <span class="command"><strong>dom.indexedDB.enabled</strong></span>,
@@ -574,11 +574,11 @@ auditing work to ensure that yet.
 
     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
 
-Torbutton also <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/components/tbSessionStore.js">contains
+Torbutton also <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/components/tbSessionStore.js" target="_top">contains
 code</a> to prevent the Firefox session store from writing to disk.
     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
 
-For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&amp;status=!closed">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2" title="4.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"/>4.4. Application Data Isolation</h3></div></div></div><p>
+For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&amp;status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2" title="4.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>
 
 Tor Browser Bundle MUST NOT cause any information to be written outside of the
 bundle directory. This is to ensure that the user is able to completely and
@@ -592,7 +592,7 @@ To ensure TBB directory isolation, we set
 <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and
 <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the
 $HOME environment variable to be the TBB extraction directory.
-   </p></div><div class="sect2" title="4.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"/>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
+   </p></div><div class="sect2" title="4.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
 
 The Tor Browser MUST prevent a user's activity on one site from being linked
 to their activity on another site. When this goal cannot yet be met with an
@@ -616,7 +616,7 @@ the url bar origin for which browser state exists, possibly with a
 context-menu option to drill down into specific types of state or permissions.
 An example of this simplification can be seen in Figure 1.
 
-   </p><div class="figure"><a id="idp5548704"/><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" style="text-align: center"><img src="NewCookieManager.png" style="text-align: middle" alt="Improving the Privacy UI"/></div><div class="caption"><p/>
+   </p><div class="figure"><a id="idp5553664"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
 
 This example UI is a mock-up of how isolating identifiers to the URL bar
 origin can simplify the privacy UI for all data - not just cookies. Once
@@ -624,11 +624,11 @@ browser identifiers and site permissions operate on a url bar basis, the same
 privacy window can represent browsing history, DOM Storage, HTTP Auth, search
 form history, login values, and so on within a context menu for each site.
 
-</div></div></div><br class="figure-break"/><div class="orderedlist"><ol class="orderedlist"><li class="listitem">Cookies
+</div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies
      <p><span class="command"><strong>Design Goal:</strong></span>
 
 All cookies MUST be double-keyed to the url bar origin and third-party
-origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965">Mozilla bug</a>
+origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
 that contains a prototype patch, but it lacks UI, and does not apply to modern
 Firefoxes.
 
@@ -644,17 +644,17 @@ unlinkability trumps that desire.
      <p>
 
 Cache is isolated to the url bar origin by using a technique pioneered by
-Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/">SafeCache</a>. The technique re-uses the
-<a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel">nsICachingChannel.cacheKey</a>
+Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the
+<a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>
 attribute that Firefox uses internally to prevent improper caching and reuse
 of HTTP POST data.  
 
      </p><p>
 
-However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666">increase the
-security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754">solve conflicts
+However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
+security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts
 with OCSP relying the cacheKey property for reuse of POST requests</a>, we
-had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch">patch
+had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch" target="_top">patch
 Firefox to provide a cacheDomain cache attribute</a>. We use the fully
 qualified url bar domain as input to this field.
 
@@ -669,9 +669,9 @@ opposed to relying solely on the referer property.
 
      </p><p>
 
-Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html">the original
+Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original
 Stanford test cases</a> are expected to fail. Functionality can still be
-verified by navigating to <a class="ulink" href="about:cache">about:cache</a> and
+verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and
 viewing the key used for each cache entry. Each third party element should
 have an additional "domain=string" property prepended, which will list the
 FQDN that was used to source the third party element.
@@ -679,22 +679,22 @@ FQDN that was used to source the third party element.
      </p><p>
 
 Additionally, because the image cache is a separate entity from the content
-cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch">isolate
+cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch" target="_top">isolate
 this cache per url bar domain</a>.
 
      </p></li><li class="listitem">HTTP Auth
      <p>
 
 HTTP authentication tokens are removed for third party elements using the
-<a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers">http-on-modify-request
-observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html">silent
+<a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request
+observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
 linkability between domains</a>. 
      </p></li><li class="listitem">DOM Storage
      <p>
 
 DOM storage for third party domains MUST be isolated to the url bar origin,
 to prevent linkability between sites. This functionality is provided through a
-<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch">patch
+<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch" target="_top">patch
 to Firefox</a>.
 
      </p></li><li class="listitem">Flash cookies
@@ -702,12 +702,12 @@ to Firefox</a>.
 
 Users should be able to click-to-play flash objects from trusted sites. To
 make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
-cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html">Flash
+cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
 settings manager</a>.
 
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 
-We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974">having
+We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
 difficulties</a> causing Flash player to use this settings
 file on Windows, so Flash remains difficult to enable.
 
@@ -723,10 +723,10 @@ origin MUST NOT be reused for that same third party in another url bar origin.
 We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
 Identity</a>, we disable TLS Session Tickets via the Firefox Pref
 <span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session
-IDs via a <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch">patch
+IDs via a <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch" target="_top">patch
 to Firefox</a>. To compensate for the increased round trip latency from disabling
 these performance optimizations, we also enable
-<a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00">TLS
+<a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
 False Start</a> via the Firefox Pref 
 <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
     </p><p>
@@ -761,16 +761,16 @@ federated login systems) SHOULD still allow identifiers to persist.
     </p><p><span class="command"><strong>Implementation status:</strong></span>
 
 There are numerous ways for the user to be redirected, and the Firefox API
-support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600">trac bug
+support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
 open</a> to implement what we can.
 
     </p></li><li class="listitem">window.name
      <p>
 
-<a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name">window.name</a> is
+<a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
 a magical DOM property that for some reason is allowed to retain a persistent value
 for the lifespan of a browser tab. It is possible to utilize this property for
-<a class="ulink" href="http://www.thomasfrank.se/sessionvars.html">identifier
+<a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
 storage</a>.
 
      </p><p>
@@ -788,7 +788,7 @@ https/http schemes, the property is cleared.
 We disable the password saving functionality in the browser as part of our
 <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
 since users may decide to re-enable disk history records and password saving,
-we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms">signon.autofillForms</a>
+we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
 preference to false to prevent saved values from immediately populating
 fields upon page load. Since Javascript can read these values as soon as they
 appear, setting this preference prevents automatic linkability from stored passwords.
@@ -796,7 +796,7 @@ appear, setting this preference prevents automatic linkability from stored passw
      </p></li><li class="listitem">HSTS supercookies
       <p>
 
-An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html">HSTS
+An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
 supercookies</a>. Since HSTS effectively stores one bit of information per domain
 name, an adversary in possession of numerous domains can use them to construct
 cookies based on stored HSTS state.
@@ -823,17 +823,17 @@ observers from linking concurrent browsing activity.
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 
 The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
-series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455">Ticket
+series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket
 #3455</a> is the Torbutton ticket to make use of the new Tor
 functionality.
 
      </p></li></ol></div><p>
-For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&amp;status=!closed">tbb-linkability tag in our bugtracker</a>
-  </p></div><div class="sect2" title="4.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"/>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
+For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&amp;status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>
+  </p></div><div class="sect2" title="4.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
 
 In order to properly address the fingerprinting adversary on a technical
 level, we need a metric to measure linkability of the various browser
-properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php">The Panopticlick Project</a>
+properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>
 by the EFF provides us with a prototype of such a metric. The researchers
 conducted a survey of volunteers who were asked to visit an experiment page
 that harvested many of the above components. They then computed the Shannon
@@ -858,11 +858,11 @@ on browser data spanning a number of widely deployed browsers over a number of
 years, any fingerprinting defenses attempted by browsers today are very likely
 to cause Panopticlick to report an <span class="emphasis"><em>increase</em></span> in
 fingerprintability and entropy, because those defenses will stand out in sharp
-contrast to historical data. We have been <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/6119">working to convince
+contrast to historical data. We have been <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/6119" target="_top">working to convince
 the EFF</a> that it is worthwhile to release the source code to
 Panopticlick to allow us to run our own version for this reason.
 
-   </p><div class="sect3" title="Fingerprinting defenses in the Tor Browser"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"/>Fingerprinting defenses in the Tor Browser</h4></div></div></div><div class="orderedlist"><ol class="orderedlist"><li class="listitem">Plugins
+   </p><div class="sect3" title="Fingerprinting defenses in the Tor Browser"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins
      <p>
 
 Plugins add to fingerprinting risk via two main vectors: their mere presence in
@@ -874,7 +874,7 @@ All plugins that have not been specifically audited or sandboxed MUST be
 disabled. To reduce linkability potential, even sandboxed plugins should not
 be allowed to load objects until the user has clicked through a click-to-play
 barrier.  Additionally, version information should be reduced or obfuscated
-until the plugin object is loaded. For flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974">provide a
+until the plugin object is loaded. For flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a
 settings.sol file</a> to disable Flash cookies, and to restrict P2P
 features that are likely to bypass proxy settings.
 
@@ -884,7 +884,7 @@ Currently, we entirely disable all plugins in Tor Browser. However, as a
 compromise due to the popularity of Flash, we allow users to re-enable Flash,
 and flash objects are blocked behind a click-to-play barrier that is available
 only after the user has specifically enabled plugins. Flash is the only plugin
-available, the rest are <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">entirely
+available, the rest are <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch" target="_top">entirely
 blocked from loading by a Firefox patch</a>. We also set the Firefox
 preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid
 leaking plugin installation information.
@@ -892,11 +892,11 @@ leaking plugin installation information.
      </p></li><li class="listitem">HTML5 Canvas Image Extraction
      <p>
 
-The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas">HTML5
+The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5
 Canvas</a> is a feature that has been added to major browsers after the
 EFF developed their Panopticlick study. After plugins and plugin-provided
 information, we believe that the HTML5 Canvas is the single largest
-fingerprinting threat browsers face today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf">Initial
+fingerprinting threat browsers face today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf" target="_top">Initial
 studies</a> show that the Canvas can provide an easy-access fingerprinting
 target: The adversary simply renders WebGL, font, and named color data to a
 Canvas element, extracts the image buffer, and computes a hash of that image
@@ -907,7 +907,7 @@ image can be used almost identically to a tracking cookie by the web server.
 
      </p><p>
 
-To reduce the threat from this vector, we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch">prompt
+To reduce the threat from this vector, we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch" target="_top">prompt
 before returning valid image data</a> to the Canvas APIs. If the user
 hasn't previously allowed the site in the URL bar to access Canvas image data,
 pure white image data is returned to the Javascript APIs.
@@ -921,7 +921,7 @@ fingerprinting.
 
      </p><p>
 
-Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/">previously unexposed
+Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed
 vulnerability surface</a>, we deploy a similar strategy against WebGL as
 for plugins. First, WebGL Canvases have click-to-play placeholders (provided
 by NoScript), and do not run until authorized by the user. Second, we
@@ -947,7 +947,7 @@ still be available.
 The sure-fire way to address font linkability is to ship the browser with a
 font for every language, typeface, and style in use in the world, and to only
 use those fonts at the exclusion of system fonts.  However, this set may be
-impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts">common
+impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common
 subset</a> may be found that provides total coverage. However, we believe
 that with strong url bar origin identifier isolation, a simpler approach can reduce the
 number of bits available to the adversary while avoiding the rendering and
@@ -957,7 +957,7 @@ language issues of supporting a global font set.
 
 We disable plugins, which prevents font enumeration. Additionally, we limit
 both the number of font queries from CSS, as well as the total number of 
-fonts that can be used in a document <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch">with
+fonts that can be used in a document <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch" target="_top">with
 a Firefox patch</a>. We create two prefs,
 <span class="command"><strong>browser.display.max_font_attempts</strong></span> and
 <span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these
@@ -967,7 +967,7 @@ still working to determine optimal values for these prefs.
 
      </p><p>
 
-To improve rendering, we exempt remote <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/@font-face">@font-face
+To improve rendering, we exempt remote <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/@font-face" target="_top">@font-face
 fonts</a> from these counts, and if a font-family CSS rule lists a remote
 font (in any order), we use that font instead of any of the named local fonts.
 
@@ -992,13 +992,13 @@ desktop resolution.
 
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 
-We have implemented the above strategy using a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l2004">resize
+We have implemented the above strategy using a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l2004" target="_top">resize
 new windows based on desktop resolution</a>. Additionally, we patch
-Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch">for
-window.screen</a> and <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch">for
-CSS Media Queries</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch">patch
+Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch" target="_top">for
+window.screen</a> and <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch" target="_top">for
+CSS Media Queries</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch" target="_top">patch
 DOM events to return content window relative points</a>. We also patch
-Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch">report
+Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch" target="_top">report
 a fixed set of system colors to content window CSS</a>.
 
      </p></li><li class="listitem">User Agent and HTTP Headers
@@ -1014,8 +1014,8 @@ these headers should remain identical across the population even when updated.
 Firefox provides several options for controlling the browser user agent string
 which we leverage. We also set similar prefs for controlling the
 Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
-<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch">remove
-content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html">can be
+<a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch" target="_top">remove
+content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
 used</a> to fingerprint OS, platform, and Firefox minor version.  </p></li><li class="listitem">Timezone and clock offset
      <p><span class="command"><strong>Design Goal:</strong></span>
 
@@ -1030,26 +1030,26 @@ values used in Tor Browser to something reasonably accurate.
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 
 We set the timezone using the TZ environment variable, which is supported on
-all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652">obtain a clock
+all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock
 offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in
 use.
 
      </p></li><li class="listitem">Javascript performance fingerprinting
      <p>
 
-<a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf">Javascript performance
+<a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
 fingerprinting</a> is the act of profiling the performance
 of various Javascript functions for the purpose of fingerprinting the
 Javascript engine and the CPU.
 
      </p><p><span class="command"><strong>Design Goal:</strong></span>
 
-We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059">several potential
+We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
 mitigation approaches</a> to reduce the accuracy of performance
 fingerprinting without risking too much damage to functionality. Our current
 favorite is to reduce the resolution of the Event.timeStamp and the Javascript
 Date() object, while also introducing jitter. Our goal is to increase the
-amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf">Mowery et al</a> found that
+amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that
 even with the default precision in most browsers, they required up to 120
 seconds of amortization and repeated trials to get stable results from their
 feature set. We intend to work with the research community to establish the
@@ -1059,7 +1059,7 @@ optimum trade-off between quantization+jitter and amortization time.
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 
 Currently, the only mitigation against performance fingerprinting is to
-disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/">Navigation
+disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation
 Timing</a> through the Firefox preference
 <span class="command"><strong>dom.enable_performance</strong></span>.
 
@@ -1067,8 +1067,8 @@ Timing</a> through the Firefox preference
      <p>
 
 At least two HTML5 features have different implementation status across the
-major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery">Battery
-API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection">Network
+major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
+API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
 Connection API</a>. We disable these APIs
 through the Firefox preferences <span class="command"><strong>dom.battery.enabled</strong></span> and
 <span class="command"><strong>dom.network.enabled</strong></span>. 
@@ -1087,23 +1087,23 @@ fingerprinting: timestamp quantization and jitter.
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 We have no implementation as of yet.
      </p></li></ol></div></div><p>
-For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed">tbb-fingerprinting tag in our bugtracker</a>
-  </p></div><div class="sect2" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"/>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
+For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed" target="_top">tbb-fingerprinting tag in our bugtracker</a>
+  </p></div><div class="sect2" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
 
 In order to avoid long-term linkability, we provide a "New Identity" context
 menu option in Torbutton. This context menu option is active if Torbutton can
 read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
 
-   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5665856"/>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5670816"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 
 All linkable identifiers and browser state MUST be cleared by this feature.
 
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5667104"/>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5672064"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
 
 First, Torbutton disables Javascript in all open tabs and windows by using
-both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes">browser.docShell.allowJavascript</a>
-attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29">nsIDOMWindowUtil.suppressEventHandling()</a>.
-We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
+both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a>
+attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>.
+We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
 We then clear the site-specific Zoom by temporarily disabling the preference
 <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wiki token
 URL and the last opened URL prefs (if they exist). Each tab is then closed.
@@ -1127,29 +1127,29 @@ closed.
      </p></blockquote></div><div class="blockquote"><blockquote class="blockquote">
 If the user chose to "protect" any cookies by using the Torbutton Cookie
 Protections UI, those cookies are not cleared as part of the above.
-    </blockquote></div></div></div><div class="sect2" title="4.8. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"/>4.8. Description of Firefox Patches</h3></div></div></div><p>
+    </blockquote></div></div></div><div class="sect2" title="4.8. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>4.8. Description of Firefox Patches</h3></div></div></div><p>
 
-The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/current-patches/firefox">current-patches directory of the torbrowser git repository</a>. They are:
+The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/current-patches/firefox" target="_top">current-patches directory of the torbrowser git repository</a>. They are:
 
-   </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch">Block
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch" target="_top">Block
 Components.interfaces</a><p>
 
 In order to reduce fingerprinting, we block access to this interface from
 content script. Components.interfaces can be used for fingerprinting the
 platform, OS, and Firebox version, but not much else.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">Make
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch" target="_top">Make
 Permissions Manager memory only</a><p>
 
 This patch exposes a pref 'permissions.memory_only' that properly isolates the
 permissions manager to memory, which is responsible for all user specified
-site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security">HSTS</a>
+site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
 policy from visited sites.
 
 The pref does successfully clear the permissions manager memory if toggled. It
 does not need to be set in prefs.js, and can be handled by Torbutton.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">Make
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">Make
 Intermediate Cert Store memory-only</a><p>
 
 The intermediate certificate store records the intermediate SSL certificates
@@ -1164,28 +1164,28 @@ As an additional design goal, we would like to later alter this patch to allow t
 information to be cleared from memory. The implementation does not currently
 allow this.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch">Add
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch" target="_top">Add
 a string-based cacheKey property for domain isolation</a><p>
 
-To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666">increase the
-security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754">solve strange and
+To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
+security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and
 unknown conflicts with OCSP</a>, we had to patch
 Firefox to provide a cacheDomain cache attribute. We use the url bar
 FQDN as input to this field.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">Block
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch" target="_top">Block
 all plugins except flash</a><p>
-We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1">
+We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top">
 @mozilla.org/extensions/blocklist;1</a> service, because we
 actually want to stop plugins from ever entering the browser's process space
 and/or executing code (for example, AV plugins that collect statistics/analyze
 URLs, magical toolbars that phone home or "help" the user, Skype buttons that
 ruin our day, and censorship filters). Hence we rolled our own.
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch">Make content-prefs service memory only</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch" target="_top">Make content-prefs service memory only</a><p>
 This patch prevents random URLs from being inserted into content-prefs.sqlite in
 the profile directory as content prefs change (includes site-zoom and perhaps
 other site prefs?).
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0007-Make-Tor-Browser-exit-when-not-launched-from-Vidalia.patch">Make Tor Browser exit when not launched from Vidalia</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0007-Make-Tor-Browser-exit-when-not-launched-from-Vidalia.patch" target="_top">Make Tor Browser exit when not launched from Vidalia</a><p>
 
 It turns out that on Windows 7 and later systems, the Taskbar attempts to
 automatically learn the most frequent apps used by the user, and it recognizes
@@ -1195,118 +1195,118 @@ Browser will automatically find their default Firefox profile, and properly
 connect directly without using Tor. This patch is a simple hack to cause Tor
 Browser to immediately exit in this case.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch">Disable SSL Session ID tracking</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch" target="_top">Disable SSL Session ID tracking</a><p>
 
 This patch is a simple 1-line hack to prevent SSL connections from caching
 (and then later transmitting) their Session IDs. There was no preference to
 govern this behavior, so we had to hack it by altering the SSL new connection
 defaults.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0009-Provide-an-observer-event-to-close-persistent-connec.patch">Provide an observer event to close persistent connections</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0009-Provide-an-observer-event-to-close-persistent-connec.patch" target="_top">Provide an observer event to close persistent connections</a><p>
 
 This patch creates an observer event in the HTTP connection manager to close
 all keep-alive connections that still happen to be open. This event is emitted
 by the <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a> button.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch">Limit Device and System Specific Media Queries</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch" target="_top">Limit Device and System Specific Media Queries</a><p>
 
-<a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/Media_queries">CSS
+<a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/Media_queries" target="_top">CSS
 Media Queries</a> have a fingerprinting capability approaching that of
 Javascript. This patch causes such Media Queries to evaluate as if the device
 resolution was equal to the content window resolution.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch">Limit the number of fonts per document</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch" target="_top">Limit the number of fonts per document</a><p>
 
-Font availability can be <a class="ulink" href="http://flippingtypical.com/">queried by
+Font availability can be <a class="ulink" href="http://flippingtypical.com/" target="_top">queried by
 CSS and Javascript</a> and is a fingerprinting vector. This patch limits
 the number of times CSS and Javascript can cause font-family rules to
 evaluate. Remote @font-face fonts are exempt from the limits imposed by this
 patch, and remote fonts are given priority over local fonts whenever both
 appear in the same font-family rule.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0012-Rebrand-Firefox-to-TorBrowser.patch">Rebrand Firefox to Tor Browser</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0012-Rebrand-Firefox-to-TorBrowser.patch" target="_top">Rebrand Firefox to Tor Browser</a><p>
 
 This patch updates our branding in compliance with Mozilla's trademark policy.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch">Make Download Manager Memory Only</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch" target="_top">Make Download Manager Memory Only</a><p>
 
 This patch prevents disk leaks from the download manager. The original
 behavior is to write the download history to disk and then delete it, even if
 you disable download history from your Firefox preferences.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0014-Add-DDG-and-StartPage-to-Omnibox.patch">Add DDG and StartPage to Omnibox</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0014-Add-DDG-and-StartPage-to-Omnibox.patch" target="_top">Add DDG and StartPage to Omnibox</a><p>
 
 This patch adds DuckDuckGo and StartPage to the Search Box, and sets our
 default search engine to StartPage. We deployed this patch due to excessive
 Captchas and complete 403 bans from Google.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0015-Make-nsICacheService.EvictEntries-synchronous.patch">Make nsICacheService.EvictEntries() Synchronous</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0015-Make-nsICacheService.EvictEntries-synchronous.patch" target="_top">Make nsICacheService.EvictEntries() Synchronous</a><p>
 
 This patch eliminates a race condition with "New Identity". Without it,
 cache-based Evercookies survive for up to a minute after clearing the cache
 on some platforms.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch">Prevent WebSockets DNS Leak</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch" target="_top">Prevent WebSockets DNS Leak</a><p>
 
 This patch prevents a DNS leak when using WebSockets. It also prevents other
 similar types of DNS leaks.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch">Randomize HTTP pipeline order and depth</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch" target="_top">Randomize HTTP pipeline order and depth</a><p>
 As an 
-<a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting">experimental
+<a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
 defense against Website Traffic Fingerprinting</a>, we patch the standard
 HTTP pipelining code to randomize the number of requests in a
 pipeline, as well as their order.
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0018-Adapt-Steven-Michaud-s-Mac-crashfix-patch.patch">Adapt Steve Michaud's Mac crashfix patch</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0018-Adapt-Steven-Michaud-s-Mac-crashfix-patch.patch" target="_top">Adapt Steve Michaud's Mac crashfix patch</a><p>
 
 This patch allows us to block Drag and Drop without causing crashes on Mac OS.
 We need to block Drag and Drop because Mac OS and Ubuntu both immediately load
 any URLs they find in your drag buffer before you even drop them (without
 using your browser's proxy settings, of course).
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0019-Add-mozIThirdPartyUtil.getFirstPartyURI-API.patch">Add mozIThirdPartyUtil.getFirstPartyURI() API</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0019-Add-mozIThirdPartyUtil.getFirstPartyURI-API.patch" target="_top">Add mozIThirdPartyUtil.getFirstPartyURI() API</a><p>
 
 This patch provides an API that allows us to more easily isolate identifiers
 to the URL bar domain.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch">Add canvas image extraction prompt</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch" target="_top">Add canvas image extraction prompt</a><p>
 
 This patch prompts the user before returning canvas image data. Canvas image
 data can be used to create an extremely stable, high-entropy fingerprint based
 on the unique rendering behavior of video cards, OpenGL behavior,
 system fonts, and supporting library versions.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch">Return client window coordinates for mouse events</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch" target="_top">Return client window coordinates for mouse events</a><p>
 
 This patch causes mouse events to return coordinates relative to the content
 window instead of the desktop.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch">Do not expose physical screen info to window.screen</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch" target="_top">Do not expose physical screen info to window.screen</a><p>
 
 This patch causes window.screen to return the display resolution size of the
 content window instead of the desktop resolution size.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch">Do not expose system colors to CSS or canvas</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch" target="_top">Do not expose system colors to CSS or canvas</a><p>
 
 This patch prevents CSS and Javascript from discovering your desktop color
 scheme and/or theme.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch">Isolate the Image Cache per url bar domain</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch" target="_top">Isolate the Image Cache per url bar domain</a><p>
 
 This patch prevents cached images from being used to store third party tracking
 identifiers.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0025-nsIHTTPChannel.redirectTo-API.patch">nsIHTTPChannel.redirectTo() API</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0025-nsIHTTPChannel.redirectTo-API.patch" target="_top">nsIHTTPChannel.redirectTo() API</a><p>
 
 This patch provides HTTPS-Everywhere with an API to perform redirections more
 securely and without addon conflicts.
 
-     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch">Isolate DOM Storage to first party URI</a><p>
+     </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch" target="_top">Isolate DOM Storage to first party URI</a><p>
 
 This patch prevents DOM Storage from being used to store third party tracking
 identifiers.
 
-     </p></li></ol></div></div></div><div class="appendix" title="A. Towards Transparency in Navigation Tracking"><h2 class="title"><a id="Transparency"/>A. Towards Transparency in Navigation Tracking</h2><p>
+     </p></li></ol></div></div></div><div class="appendix" title="A. Towards Transparency in Navigation Tracking"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>
 
 The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based
 upon the assumption that link-click navigation indicates user consent to
@@ -1338,7 +1338,7 @@ also describe auditable alternatives and promising web draft standards that woul
 preserve this functionality while still providing transparency when tracking is
 occurring. 
 
-</p><div class="sect2" title="A.1. Deprecation Wishlist"><div class="titlepage"><div><div><h3 class="title"><a id="deprecate"/>A.1. Deprecation Wishlist</h3></div></div></div><div class="orderedlist"><ol class="orderedlist"><li class="listitem">The Referer Header
+</p><div class="sect1" title="A.1. Deprecation Wishlist"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">The Referer Header
   <p>
 
 We haven't disabled or restricted the referer ourselves because of the
@@ -1353,7 +1353,7 @@ Google's +1 buttons are the best example of this activity.
 
 Because of the availability of these other explicit vectors, we believe the
 main risk of the referer header is through inadvertent and/or covert data
-leakage.  In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf">a great deal of
+leakage.  In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf" target="_top">a great deal of
 personal data</a> is inadvertently leaked to third parties through the
 source URL parameters. 
 
@@ -1366,15 +1366,15 @@ HTML tag. With an explicit property, it would then be possible for the user
 agent to inform the user if they are about to click on a link that will
 transmit referer information (perhaps through something as subtle as a
 different color for the destination URL). This same UI notification can also
-be used for links with the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Element/a#Attributes">"ping"</a>
+be used for links with the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Element/a#Attributes" target="_top">"ping"</a>
 attribute.
 
   </p></li><li class="listitem">window.name
    <p>
-<a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name">window.name</a> is
+<a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
 a DOM property that for some reason is allowed to retain a persistent value
 for the lifespan of a browser tab. It is possible to utilize this property for
-<a class="ulink" href="http://www.thomasfrank.se/sessionvars.html">identifier
+<a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
 storage</a> during click navigation. This is sometimes used for additional
 XSRF protection and federated login.
    </p><p>
@@ -1397,18 +1397,18 @@ cause Tor Browser to fail to navigate properly on these sites.
    </p><p>
 
 Automated cross-origin redirects are one form of this behavior that is
-possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600">address
+possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address
 ourselves</a>, as they are comparatively rare and can be handled with site
 permissions.
 
-   </p></li></ol></div></div><div class="sect2" title="A.2. Promising Standards"><div class="titlepage"><div><div><h3 class="title"><a id="idp5752304"/>A.2. Promising Standards</h3></div></div></div><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="ulink" href="http://web-send.org">Web-Send Introducer</a><p>
+   </p></li></ol></div></div><div class="sect1" title="A.2. Promising Standards"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp5757152"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
 
 Web-Send is a browser-based link sharing and federated login widget that is
 designed to operate without relying on third-party tracking or abusing other
-cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html">privacy and security features</a>,
+cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html" target="_top">privacy and security features</a>,
 especially if used as a "Like button" replacement.
 
-   </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona">Mozilla Persona</a><p>
+   </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>
 
 Mozilla's Persona is designed to provide decentralized, cryptographically
 authenticated federated login in a way that does not expose the user to third

tor-webwml.git
