[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #32786 [Applications/Tor Browser]: NoScript policies don't work with default page set to about:blank
#32786: NoScript policies don't work with default page set to about:blank
-------------------------------+------------------------------------------
Reporter: pf.team | Owner: tbb-team
Type: defect | Status: new
Priority: High | Component: Applications/Tor Browser
Version: | Severity: Normal
Keywords: NoScript prefs.js | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------+------------------------------------------
Issue similar to #32429, but arises under more narrow conditions - such as
when you manually edit settings via prefs.js using automated configuration
tools.
How to reproduce the bug:
1. Unpack Tor Browser, start it for the first time, exit.
2. Edit the following parameters via prefs.js:
* browser.startup.homepage = "about:blank"
* extensions.torbutton.security_slider = 1
3. Launch TB again, set Security Level to Safest, which is supposed to
block JS everywhere.
4. Load the test page and see for yourself that JS is not blocked:
http://mysecret7rirx6ip.onion/test-js.html http://mysecretvrujzo2k.onion
/test-js.html
If the security settings are changed to Low, and then back to Safest, the
bug will disappear and JS will be blocked everywhere by default.
Causes of this bug:
The "key-policy" setting in NoScript (found in
Browser/TorBrowser/Data/Browser/profile.default/storage-sync.sqlite) has
the following value by default:
{"id":"key-
policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["font","frame","media"],"temp":false},"sites":{"trusted":[],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}
This allows all content by default:
"DEFAULT":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"]
This setting is not set to the value corresponding to the Safest security
level ("DEFAULT":{"capabilities":["frame","other"]) when the add-on is
initialized on browser launch, even if this level is set in prefs.js.
This issue misleads users who utilise automated configuration systems to
configure their Tor Browser instances. It was not present in versions 8.*
and 9.0.0.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32786>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs