[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #15514 [Tor Browser]: Trim the NoScript whitelist

Subject: [tor-bugs] #15514 [Tor Browser]: Trim the NoScript whitelist
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 30 Mar 2015 20:20:41 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Mar 2015 16:20:49 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#15514: Trim the NoScript whitelist
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  normal                               |         Status:  new
Component:  Tor Browser                          |      Milestone:
 Keywords:  TorBrowserTeam201504, tbb-4.5-alpha  |        Version:
Parent ID:                                       |  Actual Points:
                                                 |         Points:
-------------------------------------------------+-------------------------
 The NoScript whitelist currently allows blob: URLs, all about: URLs, and
 chrome: URLs.

 We definitely want to remove blob: URLs, because of #15502. We also don't
 appear to need chrome: URLs, and Giorgio recommends we remove the blanket
 allow on about: URLs in favor of a the list of specific about urls we know
 we need.

 We do need resource: urls for pdf.js though. For some reason, the
 cascading permissions does not properly allow them in pdf.js when you
 click "Temporarily allow all this page".

 Unfortunately, updating this list is not easy. We need to push an update
 in extension-overrides.js to set 'noscript.mandatory' and
 'noscript.default', but that will not affect
 'capability.policy.maonoscript.sites' for people who upgrade. Hence we
 need to add one-time code to Torbutton that removes the extra schemes from
 'capability.policy.maonoscript.sites' and sets a pref so it doesn't do it
 again.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15514>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #15474 [Tor Browser]: Quantize innerWidth/Height when pages are zoomed
Next by Author: Re: [tor-bugs] #1839 [BridgeDB]: Rotate available bridges over time
Previous by thread: Re: [tor-bugs] #15513 [Tor]: Investigate lifetime of IPs on Hidden Services
Next by thread: Re: [tor-bugs] #1839 [BridgeDB]: Rotate available bridges over time
Index(es):
- Author
- Thread