[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10464 [Tor bundles/installation]: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden



#10464: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally
forbidden
------------------------------------------+-------------------
     Reporter:  torar                     |      Owner:  erinn
         Type:  defect                    |     Status:  new
     Priority:  major                     |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |
------------------------------------------+-------------------

Comment (by arma):

 So the clear bug is that we whitelist http://a.m.o and we should totally
 fix that.

 The harder tradeoff apparently is that if we allow https://a.m.o then a
 bad guy who can get an ssl cert can still give you javascript. But if we
 *don't* allow https://a.m.o, then if the user installs a new addon,
 Firefox won't check its integrity at all.

 It seems to me that 'Forbid scripts globally' is crystal clear about what
 you've asked it to do.

 Is there a way to warn a user who has javascript disabled and tries to
 install a new addon?

 If the user goes to about:config and turns javascript off manually, does
 this mean they no longer check integrity of new addons? (For added
 excitement, the new addons are fetched via http, because that's just how
 Firefox works.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10464#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs