[tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 30 11:36:20 UTC 2014 

#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  gk
  mikeperry              |     Status:  needs_information
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  TorBrowserTeam201410D, tbb-
    Component:  Tor      |  security, tbb-usability, tbb-linkability,
  Launcher               |  tbb-3.0, extdev-interview, tbb-isec-report,
   Resolution:           |  MikePerry201410R, tbb-4.5-alpha
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 Replying to [comment:56 mikeperry]:
 > gk - I noticed a bug with noscript.globalHTTPSWhitelist. It seems that
 it improperly blocks some elements in https pages unless https: is also
 added to the NoScript whitelist. I notified Giorgio about this bug, but he
 has not fixed it yet. We may want to add "https:" to the NoScript pref
 capability.policy.maonoscript.sites as a workaround until this is fixed.

 Ok. This actually means adding " https:" just to case 1-3 (the medium-high
 position)? The first two levels leave the NoScript JS related prefs alone
 but are affected by this bug, too and the fourth level is locking down all
 JS, so this isn't needed there. I am in fact quite confused about these
 related NoScript JS prefs: `noscript.globalHTTPSWhitelist` is supposed to
 be `noscript.globalHttpsWhitelist`, right? And
 {{{
 Disable JS for non HTTPS URL Bars -> noscript.globalHTTPSWhitelist
 }}}
 in comment:43 is supposed to be
 {{{
 Disable JS for non HTTPS URL Bars -> noscript.allowHttpsOnly
 }}}
 or am I missing something? How is `noscript.globalHttpsWhitelist` set in
 mode 1-3? Assuming we only disable it in mode 4 I guess we enable it in
 them?

 > I think that with noscript.cascadePermissions and
 noscript.cascadePermissions, having https: in the whitelist still does not
 allow scripts if the url bar is http, but we should also verify this.

 Okay, needs still to be done.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:57>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list