[tor-bugs] #13998 [Tor Browser]: Tor Browser needs to handle changes in NoScript 2.6.9.8+

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 13 11:55:12 UTC 2015


#13998: Tor Browser needs to handle changes in NoScript 2.6.9.8+
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  normal   |    Version:
    Component:  Tor      |   Keywords:  TorBrowserTeam201501R,
  Browser                |  tbb-4.5-alpha-3, MikePerry201501R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------
Changes (by gk):

 * status:  new => needs_review


Comment:

 Replying to [ticket:13998 mikeperry]:
 > In NoScript 2.6.9.8, Giorgio landed several fixes for us that will
 result in changes to how Tor Browser interacts with NoScript. Here are the
 ones I'm aware of:
 >
 > 1. We no longer need to add https: to the whitelist for the "Medium-
 High" security slider position due to fixes to
 noscript.globalHttpsWhitelist.

 Should be fixed in my bug_13998 in my public Torbutton repo. Looking at
 NoScript code I found a more serious bug that is fixed now as well: we
 need to disable NoScript in the Medium/High mode. Otherwise any JavaScript
 resource is loaded as the HTTPS checks are only considered if JavaScript
 is disabled. See: `isJSEnabled()` in noscriptService.js.

 It works fine, e.g. with https://taz.de or https://www.spiegel.de.
 Interestingly, the latter won't load any JS over https://. The reason is
 that www.spiegel.de does not support TLS and the internal JavaScript on
 that side is trying to load all the https:// resources which is obviously
 failing which is fine I think (although maybe a bit confusing in the first
 place).

 > 1. Temporary permissions are no longer stored in the noscript.temp pref
 (which gets written to disk). Instead, they are stored in a new memory-
 only data structure. This means New Identity needs to change how it clears
 NoScript permissions.

 What do you mean by "new memory-only data structure"? As far as I can see
 there is no such thing. `tempSites` and `gTempSites` are already available
 in 2.6.9.6 and cleared if we call `eraseTemp`. (The same happens still
 with 2.6.9.10 which is why we don't have to change anything wrt temporary
 permissions, I think)

 > 1. The pref noscript.volatilePrivatePermissions (which governs if
 temporary permissions are used for Private Browsing Mode) is false by
 default. We probably want to set it to true if disk records are disabled,
 but false if they are enabled. We will also need to ensure "New Identity"
 properly clears the permissions in both cases.

 Looking at the code this pref is true by default beginning from 2.6.9.7,
 if I see that correctly. Grepping gives me something like:

 {{{
 ./defaults/preferences/noscript.js:pref("noscript.volatilePrivatePermissions",
 true);
 }}}

 And updating a freshly downloaded 4.5-alpha-2 to 2.6.9.10 shows `true` as
 well. Did you have something else here in mind?

 `volatilePrivatePermissions` should now be bound to no-disk/disk but as in
 the previous point you mentioned fixed there is no change in handling
 temporary permissions. This pref is more used to hide non-temporary
 menuitems and not to tamper with the nature of the permissions itself. I
 tested it a bit though and think we don't need to implement changes here
 unless we want to erase the permanent permissions as well on New Identity.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13998#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list