[tbb-bugs] #30396 [Applications/Tor Browser]: Re-enable NoScript after Mozilla bug #1549078

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 4 18:22:00 UTC 2019

#30396: Re-enable NoScript after Mozilla bug #1549078
 Reporter:  cypherpunks  |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  Medium       |      Component:  Applications/Tor Browser
  Version:               |       Severity:  Normal
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 Reviewer:               |        Sponsor:
 Saturday, May 4, 2019

 TBB 8.0.8
 NoScript 10.6.1

 The NoScript add-on was automatically disabled in the background and
 removed from the toolbar without user intervention. Mozilla is rolling out
 a fix for Desktop using the Studies system, but Mozilla studies are
 disabled in Tor Browser. They don't have a fix yet for Android.

 I had one tab open to google.com search results on Safer. A yellow banner
 showed up across the top of the page inside the tab.
 "One or more installed add-ons cannot be verified and have been disabled.
 [Learn More] X"

 The Add-ons tab (about:addons) says:
 "Missing something? Some extensions are no longer supported by Tor
 Browser. [Show legacy extensions]"

 Which opens:
 "Legacy Extensions
 These extensions do not meet current Tor Browser standards so they have
 been deactivated.
 NoScript could not be verified for use in Tor Browser and has been
 disabled. [More Information]"

 "More Information" goes to this Mozilla page implying the add-on is not
 signed (scary and false):

 A banner on that page says:
 We rolled out a hotfix that re-enables affected add-ons. The fix will be
 automatically applied in the background within the next few hours. For
 more details, please check out the update at https://support.mozilla.org

 That page basically says there was a major fuck-up by a centralized
 Mozilla signing update and that a patch fix will be applied unless Studies
 are disabled in the browser. Mozilla studies are disabled in Tor Browser,
 so we were hit with an unintentional attack and are blocked by default
 from repair. It's a hole for administrative exploitation.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30396>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list