[tor-bugs] #17570 [Tor Browser]: HTTP JavaScript running in Medium-High security mode
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 9 20:12:01 UTC 2015
#17570: HTTP JavaScript running in Medium-High security mode
-------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+--------------------------
Changes (by mikeperry):
* cc: boklm, gk (added)
Comment:
Both GeKo and I tried to reproduce this by loading the test site at
Medium-High. According to the built in Firefox Network Monitor and
Javascript debugger (Vent->Developer->Network and
Vent->Developer->Debugger), no scripts are loading on the http page. Once
you click the link to the https page, scripts do load, but you're then on
an https page, so they should be loading there.
Perhaps you were confused by the fact that allowing the cert for this site
allows the CSS, which makes it slightly more dynamic in http? That
confused me at first too.
If you can provide a more clear way to show that scripts are actually
running in the http site, please give us another test case or
instructions. Also, please additionally encrypt to boklm, who is the
engineer responsible for the regression tests that we use to verify this
security property (see #13053). Here's his key info:
{{{
pub 4096R/2067001B1B678A63 2011-08-04
Key fingerprint = C9B8 CAC3 318B 9A9E 4883 5961 2067 001B 1B67 8A63
uid Nicolas Vigier (boklm) <boklm at mars-
attacks.org>
uid Nicolas Vigier (boklm) <boklm at torproject.org>
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17570#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list