[tbb-bugs] #26520 [Applications/Tor Browser]: NoScript is broken with TOR_SKIP_LAUNCH=1 in ESR 60-based Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 28 15:36:38 UTC 2018 

#26520: NoScript is broken with TOR_SKIP_LAUNCH=1 in ESR 60-based Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
                                                 |  pospeselr
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201808,      |  Actual Points:
  noscript                                       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ma1):

 Replying to [comment:38 rustybird]:
 > Although even with both "start" and "ping"/"pong", AFAICT it's still not
 100% certain that the updateSettings message is sent and handled before
 the first page is loaded...

 Well, IMHO the most reliable way to do it, no matter how long
 initialization takes on both sides, could be this:

 1) NoScript needs a way to know very early (at the beginning of its
 execution) that it's running in the Tor Browser.
 Ideally, the [https://developer.mozilla.org/en-US/docs/Mozilla/Add-
 ons/WebExtensions/API/runtime/getBrowserInfo
 browser.runtime.getBrowserInfo()] API should return something unique, like
 {name: "Tor Browser", vendor: "The Tor Project"} (not sure if this
 requires a patch to the WebExtensions API or just setting some
 preference).

 2) If it knows it's hosted by TB, NoScript will run its initialization
 code, including the part where it defers all the content network activity
 until ready, but won't unblock  until a specific "updateSettings" message
 is received from the Tor Browser.

 Anyway, if all the Tor Button initialization happens synchronously in a
 [https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Guide/Receiving_startup_notifications profile-
 after-change observer], like it was usually done in XUL extensions, it
 will definitely finish before NoScript starts.

 Therefore, if this is the case, NoScript waiting for the "start" message
 to be answered (like in the original patch) should suffice, provided that
 this happens **before** we resolve the init() promise and give the green
 light to ''deferWebTraffic'': hence my just released
 [https://github.com/hackademix/noscript/releases/tag/10.1.9rc3 10.1.9rc3]
 which reorders NoScript's startup sequence to guarantee this. Please test
 it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26520#comment:39>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list