[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor browser 9.0.7 is broken

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor browser 9.0.7 is broken
From: Nicolas Vigier <boklm@xxxxxxxxxxxxxxxx>
Date: Tue, 24 Mar 2020 14:03:04 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 24 Mar 2020 09:03:21 -0400
In-reply-to: <5e9905723a22a9ebb551c476de3f889462b350cc.camel@mailbox.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <5e9905723a22a9ebb551c476de3f889462b350cc.camel@mailbox.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: NeoMutt/20170113 (1.7.2)

On Tue, 24 Mar 2020, Robin Lee wrote:

> Hi
> 
> I just updated to Tor browser 9.0.7 and now any site that I've given
> javascript permission to no longer works! For example I go to 
> https://protonirockerxow.onion and the website says I should enable
> javascript, but I already added this site to the ones that can send
> javascript and Tor browser tells me that it has blocked 0 items.

Tor Browser 9.0.7 is now disabling javascript completely when selecting
the Safest security level, which also prevents using noscript to allow
some javascript to run:
https://blog.torproject.org/new-release-tor-browser-907

The reason we did this change is that a bug in Firefox ESR might allow
bypassing Noscript. Although Noscript now includes some workarounds to
prevent that from happenning, but we don't know if that is enough.

If you want to allow javascript on a specific website, I think there
are two main options:

 - set javascript.enabled and use noscript configuration to allow
   javascript on some specific website, and accept the risk that some
   other website might be able to bypass noscript.

 - change the security level before visiting the website where you want
   javascript. But also remember that the security level applies to all
   open tabs, so you should not forget to change it back to Safest
   before visiting other websites.

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Tor browser 9.0.7 is broken
  - From: Robin Lee

Prev by Author: [tor-talk] Upcoming Tor security releases to fix a denial-of-service issue
Next by Author: Re: [tor-talk] Revisiting youtube blocking TBB, virtually all 1st attempts to load YT
Previous by thread: [tor-talk] Tor browser 9.0.7 is broken
Next by thread: [tor-talk] Blur screen in TBB with fractional scaling
Index(es):
- Author
- Thread