[tbb-bugs] #34305 [Applications/Tor Browser]: NoScript inconsistent behaviour in Firefox 77 (currently beta)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 26 13:47:48 UTC 2020
#34305: NoScript inconsistent behaviour in Firefox 77 (currently beta)
-------------------------------------------------+-------------------------
Reporter: acat | Owner: acat
Type: defect | Status:
| needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: noscript TorBrowserTeam202005, | Actual Points:
ff78-esr |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by ma1):
Sorry for the late answer, but I was unable to comment (the textarea was
missing).
As correctly guessed by acat, the culprit isan implementation detail of
https://bugzilla.mozilla.org/show_bug.cgi?id=1462989 (a webRequest
listener can only either delete or merge CSP headers now, not both in the
same callback), which combined to the fact CSP headers injected by
extensions get cached by the browser and automatically reinserted in
cached responses, can cause all sorts of confusions when policies change
without cache-purging reloads.
The (quite annoying, but effective) work-around is uniquely "tagging"
NoScript's CSP headers, to not interfere with page's own policies or other
extensions (something NoScript already did) and registering a second
auxiliary listener which just does the cleanup by removing the previously
cached CSP headers.
I hope to release a development build containing this work-around later
today or tomorrow, and a stable AMO auto-update within this week.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34305#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list