[tbb-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 17 08:45:39 UTC 2018


#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------+-------------------------------------
     Reporter:  gk                   |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  High                 |  Milestone:
    Component:  Applications/Tor     |    Version:
  Browser                            |   Keywords:  tbb-security, tbb-
     Severity:  Normal               |  torbutton, TorBrowserTeam201812
Actual Points:                       |  Parent ID:
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 On level "safer" of our security slider we want to prevent executing
 JavaScript if the URL bar domain is loaded over HTTP. That means even if
 embedded content is loaded over HTTPS it's not allowed to load and execute
 JavaScript that way. We used the `cascadePermissions` and the
 `globalHttpsWhitelist` prefs for that in the XPCOM NoScript.

 This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded
 in a HTTP site context (as an example take
 http://www.worldstarhiphop.com/featured/131305).

 This got noted on our blog: https://blog.torproject.org/new-release-tor-
 browser-85a6.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list