[tbb-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 4 21:23:26 UTC 2019

#30394: NoScript disabled, fails open!
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
Changes (by cypherpunks):

 * status:  closed => reopened
 * resolution:  duplicate =>


 Reopening as requested enhancement.

 The current software is like an OS that opens all the TCP ports into a
 root shell, if the kernel firewall fails to load. No exaggeration: The
 browser runs executable code from untrusted network sites.

 Tor Browser should start with `javascript.enabled` set to `false` by
 default, and only set it to `true` upon successful load of NoScript.

 Thanks to other cypherpunks, ticket:30394#comment:4

 In the rare event of NoScript failure, is better to have some users
 complain "why did the web break?" than expose ''all'' users to risk
 covered by a false sense of security.

 == Steps to reproduce:

 1. Have Mozilla break their PKI (''not hypothetical:'' it happened!)
 2. Open Tor Browser
 3. Set the "Security Slider" to "High"
 4. Enjoy false sense of security while your browser runs arbitrary
 executable code from any sites you surf, their ad servers, etc.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30394#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list