[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"

#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  gk
  mikeperry              |     Status:  needs_information
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  TorBrowserTeam201410D, tbb-
    Component:  Tor      |  security, tbb-usability, tbb-linkability,
  Launcher               |  tbb-3.0, extdev-interview, tbb-isec-report,
   Resolution:           |  MikePerry201410R, tbb-4.5-alpha
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 Replying to [comment:56 mikeperry]:
 > gk - I noticed a bug with noscript.globalHTTPSWhitelist. It seems that
 it improperly blocks some elements in https pages unless https: is also
 added to the NoScript whitelist. I notified Giorgio about this bug, but he
 has not fixed it yet. We may want to add "https:" to the NoScript pref
 capability.policy.maonoscript.sites as a workaround until this is fixed.

 Ok. This actually means adding " https:" just to case 1-3 (the medium-high
 position)? The first two levels leave the NoScript JS related prefs alone
 but are affected by this bug, too and the fourth level is locking down all
 JS, so this isn't needed there. I am in fact quite confused about these
 related NoScript JS prefs: `noscript.globalHTTPSWhitelist` is supposed to
 be `noscript.globalHttpsWhitelist`, right? And
 {{{
 Disable JS for non HTTPS URL Bars -> noscript.globalHTTPSWhitelist
 }}}
 in comment:43 is supposed to be
 {{{
 Disable JS for non HTTPS URL Bars -> noscript.allowHttpsOnly
 }}}
 or am I missing something? How is `noscript.globalHttpsWhitelist` set in
 mode 1-3? Assuming we only disable it in mode 4 I guess we enable it in
 them?

 > I think that with noscript.cascadePermissions and
 noscript.cascadePermissions, having https: in the whitelist still does not
 allow scripts if the url bar is http, but we should also verify this.

 Okay, needs still to be done.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:57>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs