Drag and drop protections in Tor Browser 12.0

Super happy about finally moving to the new ESR after months of waiting. One problem I noticed on Linux is that dragging a url from the browser’s URL bar (after selecting it) doesn’t work. Vanilla firefox doesn’t have this problem.

1 Like

(macOS) You’ve broken drag and drop. It is no longer possible to drag a link from a web page.

After downloaded the standalone installer (TorBrowser-12.0-macos_ALL.dmg) and opened and reopened the browser, the problem remains:

It is impossible to drag a url link like https://forum.torproject.org/ to the address bar or tab bar to open a new web page. Neither can I drag a text selection containing some part that looks like a url to open a new tab. More annoying is that I can’t reorder my bookmark links. :face_with_head_bandage:

Tor Browser: 12.0
System: macOS

Hi all, apologies for the confusion – this is due to Tor Browser 12.0’s drag & drop protection.

Since dragging URLs can trigger DNS requests via your OS, which bypasses Tor Browser’s proxy settings, we decided to disable the ability to drag URLs off-page for the time being. You can read more about the background to this decision here:

However, the level of protection we’ve shipped in 12.0 is a bit overzealous at the moment: as you’ve noticed, it’s impacting areas it shouldn’t like the bookmarks manager; sometimes it will misidentify mundane text as a URL; and it’s not very clear what the rules are to our users regarding what they can and can’t do either.

We’ve since opened a new ticket to fine-tune the protective measures here, and hopefully provide a clearer user experience in future:

Also, as Richard has noted in both tickets, the inability to drag URLs between the page and the browser chrome (e.g. the address bar, bookmarks bar, or tabs) in the current implementation is frustrating – however this is a tricky issue to resolve, and will require some investigation first.

Thanks for all your feedback on this issue!


I suggest you start by providing a configuration option to turn this misfeature off entirely.

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.

That shouldn’t be necessary, initial refinements are coming in 12.0.1.

1 Like

12.0.1 fixes all of the functionality issues I noticed in the app, which is very much appreciated. However, it still blocks all movement of URLs outside of the app. Although I understand this was intentional, I’d also like to see the ability to turn this off or mitigate the loss of convenience in someway. Since I got used to a workflow that relied on the small optimisation over copy and paste that was drag and drop, I’m very disappointed not to have the option to restore it. I would assume that this can be mitigated outside of the application as well, so I’d like to have that option.

If the issue is operating systems looking up the address, would it be possible to simply recategorise the drag and drop as plain text at least as an option so that it’s still possible to use outside of the window?

Edit: After rereading some of the related issues it occurs to me that this was likely the original solution to the problem. I like that there’s more thought going into how to protect people from accidental gestures, but keeping drags as plain text or other non-url specific data types is still a valid solution in my opinion and should remain an option, especially without clearer evidence that some OS’s are actually overreaching in applying specific checks and behaviours like this to non-specific data types.

1 Like

I would love to see further refinements of this algorithm. I’ve been using drag & drop since the 80’s or 90’s and given the fact JavaScripts poll the clipboard, that’s a MAJOR reason to use drag & drop versus putting things on the clipboard. Drag & drop User IDs, drag & drop passwords. Keep them off the clipboard(s).

I tried dragging a phone number from Tor Browser to the proper field in my contacts app but no go. The HTML declared the anchor’s href to be a ‘tel’ link. I could not just drag & drop it. Thus lots of formerly unnecessary steps.

Over at Alec Muffett’s Github onion list project I can drag plain text links off the page but not links in the < a > element. Is this a hole? Are DNS lookups still being made (on some OSs)?

But that would be a subset of Tor Browser user population. However, everyone is exposed to nasty JavaScripts polling the clipboard on a regular basis, which seems a larger problem affecting many more people possibly. But I’m extrapolating.

The workaround for people looking to continue to drag & drop from Tor Browser is to select everything AFTER the http:// or https:// address. Since it does’t contain the scheme, you can drag it out to another app. (Still unsure about if various OS’s try to do an inspection of it and are ‘overly helpful’ and do a lookup anyway. Why? Why is this useful to those OS’s? To get the IP addy in the cache and save…how much time?)

But that doesn’t help for things like a ‘tel’ link, which ironically is not a FQDN and I’m guessing the OS doesn’t do a lookup on it anyway. Then you must go the “arduous” copy/paste route. Later flushing your clipboard if you’re the cautious type.

Please excuse if this is very dense and I didn’t provide step-by-step.

1 Like

Thanks for your detailed feedback @Hydroidev & @abc, I’ve added it to our “Drag&Drop protection improvements” ticket for the team’s attention :slight_smile:

1 Like