[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17570 [Tor Browser]: HTTP JavaScript running in Medium-High security mode



#17570: HTTP JavaScript running in Medium-High security mode
-------------------------+--------------------------
 Reporter:  cypherpunks  |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Major        |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+--------------------------
Changes (by mikeperry):

 * cc: boklm, gk (added)


Comment:

 Both GeKo and I tried to reproduce this by loading the test site at
 Medium-High. According to the built in Firefox Network Monitor and
 Javascript debugger (Vent->Developer->Network and
 Vent->Developer->Debugger), no scripts are loading on the http page. Once
 you click the link to the https page, scripts do load, but you're then on
 an https page, so they should be loading there.

 Perhaps you were confused by the fact that allowing the cert for this site
 allows the CSS, which makes it slightly more dynamic in http? That
 confused me at first too.

 If you can provide a more clear way to show that scripts are actually
 running in the http site, please give us another test case or
 instructions. Also, please additionally encrypt to boklm, who is the
 engineer responsible for the regression tests that we use to verify this
 security property (see #13053). Here's his key info:

 {{{
 pub   4096R/2067001B1B678A63 2011-08-04
       Key fingerprint = C9B8 CAC3 318B 9A9E 4883  5961 2067 001B 1B67 8A63
 uid                          Nicolas Vigier (boklm) <boklm@mars-
 attacks.org>
 uid                          Nicolas Vigier (boklm) <boklm@xxxxxxxxxxxxxx>
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17570#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs