[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8
#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------+-------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: tbb-security, tbb-
Severity: Normal | torbutton, TorBrowserTeam201812
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
On level "safer" of our security slider we want to prevent executing
JavaScript if the URL bar domain is loaded over HTTP. That means even if
embedded content is loaded over HTTPS it's not allowed to load and execute
JavaScript that way. We used the `cascadePermissions` and the
`globalHttpsWhitelist` prefs for that in the XPCOM NoScript.
This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded
in a HTTP site context (as an example take
http://www.worldstarhiphop.com/featured/131305).
This got noted on our blog: https://blog.torproject.org/new-release-tor-
browser-85a6.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs