[tor-bugs] #1811 [Torbutton]: Should Torbutton toggle javascript.enabled in Firefox per documentation?

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Aug 7 19:52:33 UTC 2010


#1811: Should Torbutton toggle javascript.enabled in Firefox per documentation?
----------------------------------------------------+-----------------------
 Reporter:  joebt                                   |       Owner:  mikeperry       
     Type:  enhancement                             |      Status:  new             
 Priority:  normal                                  |   Milestone:                  
Component:  Torbutton                               |     Version:  Torbutton: 1.2.5
 Keywords:  Torbutton, javascript, enabled, toggle  |      Parent:                  
----------------------------------------------------+-----------------------
 Previous bugs stating Torbutton no longer toggling "Javascript Enabled" in
 Firefox (mainly after v3.5 or 3.6) have been answered that it isn't a bug
 (see # 979 below). Previous Torbutton versions did toggle “Enable
 Javascript” in Firefox Options > Content. Now, apparently not in later
 versions?

 Current documentation seems to indicate it should be toggling the Firefox
 preference “javascript.enabled.” If correct, it would toggle the box in
 Options / Content.

 Question is, should it be toggling “javascript.enabled” and thus toggling
 the Content check box, or does the documentation need updating or
 clarification? Also, Tor Project site gives current links to Tor Detector
 site http://torcheck.xenobite.eu/. With Tor, Polipo & Torbutton enabled,
 the site warns “JAVASCRIPT ENABLED” as security / anonymity risk.

 If Torbutton no longer toggles “Enable Javascript” in Firefox, (instead
 “makes javascript safe for anonymity...”), is this still a valid parameter
 for [http://torcheck.xenobite.eu/ torcheck.xenobite.eu/] to check & report
 as a security risk? Maybe check site needs updating or Tor Project needs
 to link to different sites? Also FAQs & documentation may need revising to
 inform __average__ users of expected behavior.

 '''Ticket 979: Torbutton not disabling javascript.'''

 Response:

 flyspray2trac: bug closed.
 This is a feature. Torbutton makes javascript safe for anonymity purposes.
 If you fear javascript exploits, use quickjava or noscript to disable it.

 From current (8-7-10) online Torbutton Design doc at:

 http://www.torproject.org/torbutton/design/

 From section:

 6. Relevant Firefox Bugs

 6.1. Bugs impacting security

  6. [https://bugzilla.mozilla.org/show_bug.cgi?id=409737 Bug 409737 -
 javascript.enabled and docShell.allowJavascript do not         disable all
 event handlers]

 From same doc, section 7:

 7.3. Active testing (aka How to Hack Torbutton)

 "Other ways to cause Javascript to be executed after
 '''javascript.enabled''' has been toggled off."

 If it should be toggling javascript.enabled, it hasn't done it for me for
 several versions of Torbutton and Firefox 3.6 – 3.6.8.

 Reproducible: always

 Windows Vista x64 SP 2

 Clean install of Firefox 3.6.8, new profile, no addons.

 Torbutton 1.25, Tor 0.2.1.26 w/ Polipo installed, all running.

 Tor checksite always reports “Javascript Enabled” as security risk.

 With Torbutton 1.25 (& prior versions) enabled, !about:config shows
 javascript.enabled value = true. (contradicts sect. 7.3 Active Testing)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1811>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list