[tbb-bugs] #26520 [Applications/Tor Browser]: NoScript is broken with TOR_SKIP_LAUNCH=1 in ESR 60-based Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 28 07:11:59 UTC 2018 

#26520: NoScript is broken with TOR_SKIP_LAUNCH=1 in ESR 60-based Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
                                                 |  pospeselr
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201808,      |  Actual Points:
  noscript                                       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ma1):

 Replying to [comment:33 arthuredelstein]:


 > Do we know for sure that NoScript loading first is unlikely? I'm not
 actually sure about what determines the order of XPIs loading.

 If your XPI is a bootstrapped (legacy) extensions and does all its
 initialization in its startup callback yes, it's impossible for NoScript
 to be initialized first: WebExtensions are loaded asynchronously, most if
 not all the WebExtensions APIs are asynchronous as well. As a matter of
 facts, NoScript needs some ugly hacks (like blocking and reloading pages
 retrieved from session restore) in order not reliably enforce its policy
 on startup (see
 [https://github.com/hackademix/noscript/blob/10.1.9rc2/src/bg/deferWebTraffic.js
 deferredWebTraffic.js]).

 >
 > If we wanted to be absolutely sure, NoScript could be patched to listen
 for a "ping" and reply with a "pong". And then torbutton could repeatedly
 send "ping" (say, once a second) until it receives a "pong", and then
 proceed by sending the first updateSettings message.
 >
 > Giorgio, would that sort of patch sound reasonable to you? If so, I can
 send a pull request.

 Not knowing what kind of (possibly asynchronous) work you're doing on your
 side before you're ready, I'm willing to check a patch, provided that it
 doesn't break other clients different than the Tor Browser.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26520#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list