[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"
#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-------------------------+-------------------------------------------------
Reporter: | Owner: gk
mikeperry | Status: needs_information
Type: | Milestone:
enhancement | Version:
Priority: major | Keywords: TorBrowserTeam201410D, tbb-
Component: Tor | security, tbb-usability, tbb-linkability,
Launcher | tbb-3.0, extdev-interview, tbb-isec-report,
Resolution: | MikePerry201410R, tbb-4.5-alpha
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Replying to [comment:57 gk]:
> Replying to [comment:56 mikeperry]:
> > gk - I noticed a bug with noscript.globalHTTPSWhitelist. It seems that
it improperly blocks some elements in https pages unless https: is also
added to the NoScript whitelist. I notified Giorgio about this bug, but he
has not fixed it yet. We may want to add "https:" to the NoScript pref
capability.policy.maonoscript.sites as a workaround until this is fixed.
>
> Ok. This actually means adding " https:" just to case 1-3? The first two
levels leave the NoScript JS related prefs alone but are affected by this
bug, too, and the fourth level is locking down all JS, so this isn't
needed there. I am in fact quite confused about these related NoScript JS
prefs: `noscript.globalHTTPSWhitelist` is supposed to be
`noscript.globalHttpsWhitelist`, right? And
> {{{
> Disable JS for non HTTPS URL Bars -> noscript.globalHTTPSWhitelist
> }}}
> in comment:43 is supposed to be
> {{{
> Disable JS for non HTTPS URL Bars -> noscript.allowHttpsOnly
> }}}
> or am I missing something? How is `noscript.globalHttpsWhitelist` set in
mode 1-3? Assuming we only disable it in mode 4 I guess we enable it in
them?
Well, I don't think `noscript.allowHttpsOnly` exists. We want
`noscript.globalHttpsWhitelist` to be set only in mode 3. In that mode, we
also want https: in the whitelist (`capability.policy.maonoscript.sites`).
In modes 1, 2, and 4 we want `noscript.globalHttpsWhitelist` unset. We
also want 'https:' removed from `capability.policy.maonoscript.sites` in
these modes.
I will update the summary in comment:43.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:58>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs