Re: [tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  gk
  mikeperry              |     Status:  needs_information
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  TorBrowserTeam201410D, tbb-
    Component:  Tor      |  security, tbb-usability, tbb-linkability,
  Launcher               |  tbb-3.0, extdev-interview, tbb-isec-report,
   Resolution:           |  MikePerry201410R, tbb-4.5-alpha
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Replying to [comment:57 gk]:
 > Replying to [comment:56 mikeperry]:
 > > gk - I noticed a bug with noscript.globalHTTPSWhitelist. It seems that
 it improperly blocks some elements in https pages unless https: is also
 added to the NoScript whitelist. I notified Giorgio about this bug, but he
 has not fixed it yet. We may want to add "https:" to the NoScript pref
 capability.policy.maonoscript.sites as a workaround until this is fixed.
 >
 > Ok. This actually means adding " https:" just to case 1-3? The first two
 levels leave the NoScript JS related prefs alone but are affected by this
 bug, too, and the fourth level is locking down all JS, so this isn't
 needed there. I am in fact quite confused about these related NoScript JS
 prefs: `noscript.globalHTTPSWhitelist` is supposed to be
 `noscript.globalHttpsWhitelist`, right? And
 > {{{
 > Disable JS for non HTTPS URL Bars -> noscript.globalHTTPSWhitelist
 > }}}
 > in comment:43 is supposed to be
 > {{{
 > Disable JS for non HTTPS URL Bars -> noscript.allowHttpsOnly
 > }}}
 > or am I missing something? How is `noscript.globalHttpsWhitelist` set in
 mode 1-3? Assuming we only disable it in mode 4 I guess we enable it in
 them?

 Well, I don't think `noscript.allowHttpsOnly` exists. We want
 `noscript.globalHttpsWhitelist` to be set only in mode 3. In that mode, we
 also want https: in the whitelist (`capability.policy.maonoscript.sites`).

 In modes 1, 2, and 4 we want `noscript.globalHttpsWhitelist` unset. We
 also want 'https:' removed from  `capability.policy.maonoscript.sites` in
 these modes.

 I will update the summary in comment:43.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:58>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs