[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #1811 [Torbutton]: Should Torbutton toggle javascript.enabled in Firefox per documentation?
#1811: Should Torbutton toggle javascript.enabled in Firefox per documentation?
----------------------------------------------------+-----------------------
Reporter: joebt | Owner: mikeperry
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Torbutton | Version: Torbutton: 1.2.5
Keywords: Torbutton, javascript, enabled, toggle | Parent:
----------------------------------------------------+-----------------------
Previous bugs stating Torbutton no longer toggling "Javascript Enabled" in
Firefox (mainly after v3.5 or 3.6) have been answered that it isn't a bug
(see # 979 below). Previous Torbutton versions did toggle âEnable
Javascriptâ in Firefox Options > Content. Now, apparently not in later
versions?
Current documentation seems to indicate it should be toggling the Firefox
preference âjavascript.enabled.â If correct, it would toggle the box in
Options / Content.
Question is, should it be toggling âjavascript.enabledâ and thus toggling
the Content check box, or does the documentation need updating or
clarification? Also, Tor Project site gives current links to Tor Detector
site http://torcheck.xenobite.eu/. With Tor, Polipo & Torbutton enabled,
the site warns âJAVASCRIPT ENABLEDâ as security / anonymity risk.
If Torbutton no longer toggles âEnable Javascriptâ in Firefox, (instead
âmakes javascript safe for anonymity...â), is this still a valid parameter
for [http://torcheck.xenobite.eu/ torcheck.xenobite.eu/] to check & report
as a security risk? Maybe check site needs updating or Tor Project needs
to link to different sites? Also FAQs & documentation may need revising to
inform __average__ users of expected behavior.
'''Ticket 979: Torbutton not disabling javascript.'''
Response:
flyspray2trac: bug closed.
This is a feature. Torbutton makes javascript safe for anonymity purposes.
If you fear javascript exploits, use quickjava or noscript to disable it.
From current (8-7-10) online Torbutton Design doc at:
http://www.torproject.org/torbutton/design/
From section:
6. Relevant Firefox Bugs
6.1. Bugs impacting security
6. [https://bugzilla.mozilla.org/show_bug.cgi?id=409737 Bug 409737 -
javascript.enabled and docShell.allowJavascript do not disable all
event handlers]
From same doc, section 7:
7.3. Active testing (aka How to Hack Torbutton)
"Other ways to cause Javascript to be executed after
'''javascript.enabled''' has been toggled off."
If it should be toggling javascript.enabled, it hasn't done it for me for
several versions of Torbutton and Firefox 3.6 â 3.6.8.
Reproducible: always
Windows Vista x64 SP 2
Clean install of Firefox 3.6.8, new profile, no addons.
Torbutton 1.25, Tor 0.2.1.26 w/ Polipo installed, all running.
Tor checksite always reports âJavascript Enabledâ as security risk.
With Torbutton 1.25 (& prior versions) enabled, !about:config shows
javascript.enabled value = true. (contradicts sect. 7.3 Active Testing)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1811>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs