[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 14 Sep 2018 13:39:28 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 14 Sep 2018 09:39:40 -0400
In-reply-to: <049.c7843f8f7c649d42c4a976cb696e1055@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.c7843f8f7c649d42c4a976cb696e1055@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27427: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
-------------------------------------------------+-------------------------
 Reporter:  rustybird                            |          Owner:
                                                 |  arthuredelstein
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201809R,               |  Actual Points:
  tbb-8.0.1-can                                  |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by rustybird):

 Replying to [comment:15 ma1]:
 > Replying to [comment:14 rustybird]:
 >
 > > If this race hypothetically affects real websites (i.e. not just
 `about:blank` and empty `data:` pages),
 >
 > It should not: NoScript defers all the HTTP(S) traffic until its policy
 is configured and ready to be enforced.
 > about:blank, data: and file: URLs are those which might suffer of this
 problem, because NoScript has no means to prevent them from loading before
 it's initialized.

 Thanks, that makes sense.

 Replying to [comment:13 ma1]:
 > So, if the Tor Browser can start using `__meta.name` both on the
 receiving and the sending end, I'm gonna get rid of the "legacy" redundant
 `_messageName` property in one of the next releases.

 I've uploaded a
 [https://trac.torproject.org/projects/tor/attachment/ticket/27427/v3-Fix-
 NoScript-IPC-for-about-blank-by-whitelisting-messages.patch v3 patch for
 the receiving end] and a
 [https://trac.torproject.org/projects/tor/attachment/ticket/27427/Send-
 updateSettings-message-using-NoScript-10.1.9.2-protocol.patch patch for
 the sending end].

 Assuming that these patches land in Tor Browser 8.0.**1**, maybe NoScript
 could keep the legacy code for a little while, e.g. until Tor Browser
 8.0.**2** is released. This would be a grace period for Tor Browser
 8.0**(.0)** users, so they don't automatically receive an NoScript
 extension update to an incompatible version.

 Replying to [comment:10 arthuredelstein]:
 > I changed it to use the better JS equality operator

 Whoops yes, `==` is crappy. The v3 patch uses `Array.prototype.includes()`
 to make it shorter, so it's like `===` except that `NaN` would be
 considered equal to itself. Hope that's okay, I can change it if not.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27427#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #27796 [Applications/Tor Browser]: removed style does not work
Next by Author: Re: [tor-bugs] #27797 [Core Tor/Tor]: node: Make node_supports_v3_rendezvous_point() also check for the onion_pk
Previous by thread: Re: [tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
Next by thread: Re: [tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
Index(es):
- Author
- Thread