[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #1811 [Torbutton]: Should Torbutton toggle javascript.enabled in Firefox per documentation?

To: undisclosed-recipients:;
Subject: [tor-bugs] #1811 [Torbutton]: Should Torbutton toggle javascript.enabled in Firefox per documentation?
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Sat, 07 Aug 2010 19:52:33 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 Aug 2010 15:52:44 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#1811: Should Torbutton toggle javascript.enabled in Firefox per documentation?
----------------------------------------------------+-----------------------
 Reporter:  joebt                                   |       Owner:  mikeperry       
     Type:  enhancement                             |      Status:  new             
 Priority:  normal                                  |   Milestone:                  
Component:  Torbutton                               |     Version:  Torbutton: 1.2.5
 Keywords:  Torbutton, javascript, enabled, toggle  |      Parent:                  
----------------------------------------------------+-----------------------
 Previous bugs stating Torbutton no longer toggling "Javascript Enabled" in
 Firefox (mainly after v3.5 or 3.6) have been answered that it isn't a bug
 (see # 979 below). Previous Torbutton versions did toggle âEnable
 Javascriptâ in Firefox Options > Content. Now, apparently not in later
 versions?

 Current documentation seems to indicate it should be toggling the Firefox
 preference âjavascript.enabled.â If correct, it would toggle the box in
 Options / Content.

 Question is, should it be toggling âjavascript.enabledâ and thus toggling
 the Content check box, or does the documentation need updating or
 clarification? Also, Tor Project site gives current links to Tor Detector
 site http://torcheck.xenobite.eu/. With Tor, Polipo & Torbutton enabled,
 the site warns âJAVASCRIPT ENABLEDâ as security / anonymity risk.

 If Torbutton no longer toggles âEnable Javascriptâ in Firefox, (instead
 âmakes javascript safe for anonymity...â), is this still a valid parameter
 for [http://torcheck.xenobite.eu/ torcheck.xenobite.eu/] to check & report
 as a security risk? Maybe check site needs updating or Tor Project needs
 to link to different sites? Also FAQs & documentation may need revising to
 inform __average__ users of expected behavior.

 '''Ticket 979: Torbutton not disabling javascript.'''

 Response:

 flyspray2trac: bug closed.
 This is a feature. Torbutton makes javascript safe for anonymity purposes.
 If you fear javascript exploits, use quickjava or noscript to disable it.

 From current (8-7-10) online Torbutton Design doc at:

 http://www.torproject.org/torbutton/design/

 From section:

 6. Relevant Firefox Bugs

 6.1. Bugs impacting security

  6. [https://bugzilla.mozilla.org/show_bug.cgi?id=409737 Bug 409737 -
 javascript.enabled and docShell.allowJavascript do not         disable all
 event handlers]

 From same doc, section 7:

 7.3. Active testing (aka How to Hack Torbutton)

 "Other ways to cause Javascript to be executed after
 '''javascript.enabled''' has been toggled off."

 If it should be toggling javascript.enabled, it hasn't done it for me for
 several versions of Torbutton and Firefox 3.6 â 3.6.8.

 Reproducible: always

 Windows Vista x64 SP 2

 Clean install of Firefox 3.6.8, new profile, no addons.

 Torbutton 1.25, Tor 0.2.1.26 w/ Polipo installed, all running.

 Tor checksite always reports âJavascript Enabledâ as security risk.

 With Torbutton 1.25 (& prior versions) enabled, !about:config shows
 javascript.enabled value = true. (contradicts sect. 7.3 Active Testing)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1811>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #1810 [Tor - Relay]: drop from consensus
Next by Author: Re: [tor-bugs] #1525 [Tor - Tor client]: RESOLVE control port command code path is incorrect
Previous by thread: Re: [tor-bugs] #1810 [Tor - Relay]: drop from consensus
Next by thread: [tor-bugs] #1812 [Tor - Tor bundles/installation]: TOR not working in Windows 7
Index(es):
- Author
- Thread