[tbb-bugs] #26128 [Applications/Tor Browser]: Make security slider work with NoScript for ESR60

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 7 06:25:51 UTC 2018

#26128: Make security slider work with NoScript for ESR60
 Reporter:  arthuredelstein                  |          Owner:  tbb-team
     Type:  defect                           |         Status:
                                             |  needs_review
 Priority:  Very High                        |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201806R  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
Changes (by arthuredelstein):

 * keywords:  ff60-esr, TorBrowserTeam201805 => ff60-esr,
 * status:  new => needs_review


 Here's a patch for torbutton that talks to the WebExtensions version of


 This patch uses three tricks:
  1. Using a LegacyExtensionContext (defined in [https://dxr.mozilla.org
 LegacyExtensionsUtils.jsm]) to send JSON objects to NoScript via
  2. Taking advantage of an existing invocation of
 `browser.runtime.onMessage.addListener(...)` in NoScript's code that
 accepts a JSON object for updating NoScript's settings.
  3. Providing NoScript with settings for a "site" whose "domain" is
 "http:", which causes NoScript to match non-https sites.

 We may decide to tweak the capabilities for each security slider level; I
 tried to make them as close to the previous behavior as possible, but not
 sure if they're exactly as we want.

 One problem I ran into is that, even if I set NoScript only
 "script" and "fetch" content while disallowing "object", "media", "frame",
 "font", "webgl", and "other", I can still watch videos on YouTube. So I
 think this is a NoScript bug rather than a problem with this patch.

 (Thanks to Sukhbir for help with this!)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26128#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list