[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13998 [Tor Browser]: Tor Browser needs to handle changes in NoScript 2.6.9.8+
#13998: Tor Browser needs to handle changes in NoScript 2.6.9.8+
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: normal | Version:
Component: Tor | Keywords: TorBrowserTeam201501R,
Browser | tbb-4.5-alpha-3, MikePerry201501R
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by gk):
* status: new => needs_review
Comment:
Replying to [ticket:13998 mikeperry]:
> In NoScript 2.6.9.8, Giorgio landed several fixes for us that will
result in changes to how Tor Browser interacts with NoScript. Here are the
ones I'm aware of:
>
> 1. We no longer need to add https: to the whitelist for the "Medium-
High" security slider position due to fixes to
noscript.globalHttpsWhitelist.
Should be fixed in my bug_13998 in my public Torbutton repo. Looking at
NoScript code I found a more serious bug that is fixed now as well: we
need to disable NoScript in the Medium/High mode. Otherwise any JavaScript
resource is loaded as the HTTPS checks are only considered if JavaScript
is disabled. See: `isJSEnabled()` in noscriptService.js.
It works fine, e.g. with https://taz.de or https://www.spiegel.de.
Interestingly, the latter won't load any JS over https://. The reason is
that www.spiegel.de does not support TLS and the internal JavaScript on
that side is trying to load all the https:// resources which is obviously
failing which is fine I think (although maybe a bit confusing in the first
place).
> 1. Temporary permissions are no longer stored in the noscript.temp pref
(which gets written to disk). Instead, they are stored in a new memory-
only data structure. This means New Identity needs to change how it clears
NoScript permissions.
What do you mean by "new memory-only data structure"? As far as I can see
there is no such thing. `tempSites` and `gTempSites` are already available
in 2.6.9.6 and cleared if we call `eraseTemp`. (The same happens still
with 2.6.9.10 which is why we don't have to change anything wrt temporary
permissions, I think)
> 1. The pref noscript.volatilePrivatePermissions (which governs if
temporary permissions are used for Private Browsing Mode) is false by
default. We probably want to set it to true if disk records are disabled,
but false if they are enabled. We will also need to ensure "New Identity"
properly clears the permissions in both cases.
Looking at the code this pref is true by default beginning from 2.6.9.7,
if I see that correctly. Grepping gives me something like:
{{{
./defaults/preferences/noscript.js:pref("noscript.volatilePrivatePermissions",
true);
}}}
And updating a freshly downloaded 4.5-alpha-2 to 2.6.9.10 shows `true` as
well. Did you have something else here in mind?
`volatilePrivatePermissions` should now be bound to no-disk/disk but as in
the previous point you mentioned fixed there is no change in handling
temporary permissions. This pref is more used to hide non-temporary
menuitems and not to tamper with the nature of the permissions itself. I
tested it a bit though and think we don't need to implement changes here
unless we want to erase the permanent permissions as well on New Identity.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13998#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs