[tbb-bugs] #14851 [Tor Browser]: NoScript update caused permissions pref update

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 17 18:20:48 UTC 2015

#14851: NoScript update caused permissions pref update
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  normal   |    Version:
    Component:  Tor      |   Keywords:  TorBrowserTeam201502, tbb-disk-leak
  Browser                |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |

Comment (by gk):

 Replying to [ticket:14851 mikeperry]:
 > There are two issues here: First, what is the best way to switch this
 pref back to true for our users? Can we simply update our extension-
 overrides.js file for this pref for update?

 Yes, it seems to work.

 > Second, what caused this discrepancy to happen? How do we prevent it in
 the future? Now that we have an updater, should we disable updates for
 NoScript and HTTPS-Everywhere in 4.5?

 There is no discrepancy. You updated 4.0.2 to a NoScript version > which has the pref in question set to `false`. 4.0.3 is shipped
 with NoScript which has it still set to `true`. If you update the
 NoScript in 4.0.3 you get the same problem.

 I think the only way to reliably prevent that issue generally is indeed to
 ship NoScript (and HTTPS-E) updates only via our updater. The NoScript
 release speed makes this probably not feasible for us at the moment but I
 think we should and could start with HTTPS-E (#10394) and see how it goes
 just taking important security related updates justifying an out-of-order
 release. We could start monitoring the NoScript releases with the same
 criteria in mind to get a handle on how many additional releases we would
 need to do approximately. I might even volunteer for that task as having
 these extensions just updating itself makes me quite nervous.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14851#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list