[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17570 [Tor Browser]: HTTP JavaScript running in Medium-High security mode
#17570: HTTP JavaScript running in Medium-High security mode
-------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+--------------------------
Changes (by mikeperry):
* cc: boklm, gk (added)
Comment:
Both GeKo and I tried to reproduce this by loading the test site at
Medium-High. According to the built in Firefox Network Monitor and
Javascript debugger (Vent->Developer->Network and
Vent->Developer->Debugger), no scripts are loading on the http page. Once
you click the link to the https page, scripts do load, but you're then on
an https page, so they should be loading there.
Perhaps you were confused by the fact that allowing the cert for this site
allows the CSS, which makes it slightly more dynamic in http? That
confused me at first too.
If you can provide a more clear way to show that scripts are actually
running in the http site, please give us another test case or
instructions. Also, please additionally encrypt to boklm, who is the
engineer responsible for the regression tests that we use to verify this
security property (see #13053). Here's his key info:
{{{
pub 4096R/2067001B1B678A63 2011-08-04
Key fingerprint = C9B8 CAC3 318B 9A9E 4883 5961 2067 001B 1B67 8A63
uid Nicolas Vigier (boklm) <boklm@mars-
attacks.org>
uid Nicolas Vigier (boklm) <boklm@xxxxxxxxxxxxxx>
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17570#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs