[tor-bugs] #20366 [Applications/Tor Browser]: NoScript allows all 3rd party scripts when base domain is blocked
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 10 13:05:21 UTC 2016
#20366: NoScript allows all 3rd party scripts when base domain is blocked
------------------------------------------+-------------------------
Reporter: joebt | Owner:
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution: invalid
Keywords: NoScript, Cascade, 3rd party | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:2 joebt]:
> I didn't discuss it directly with Giorgio, but NoScript forum's long
time main moderator, barbaz, claimed this feature "Cascade top document's
permissions...." was introduced at Tor devs' request.
Yes, that is true.
> I haven't confirmed that. If true, one question is, was this behavior
under a specific condition what Tor Project wanted or even considered?
Whether if a base domain is blocked, all 3rd party sites should be
'''shown''' as allowed or blocked.
This was for the medium-high security level where we only allow scripts on
HTTPS pages. This means if http:// is used in the URL bar then no script
on that page is allowed to get executed. If https:// is used only scripts
loaded with https:// are allowed to get executed.
> When base domain is blocked, not sure if allowed 3rd party sites /
scripts would '''ever''' under any circumstance be able to execute under
NS or TBB. Key phrase is "ever under any circumstance," vs. "probably
won't."
If you mean with "blocked" doing that manually by blacklisting a domain, I
don't know. That's not how we use/intend to use that feture.
> Barbaz gave no real explanation - why or when the described behavior
would be desirable or expected by most users.
>
> Even if 3rd party scripts could '''never''' execute when a base domain
is blocked, showing them as "allowed" is probably disconcerting and not
what users prefer to see. Far less significant GUI quirks than this have
been fixed.
>
> If enabling some TBB / Tor Button option made it incorrectly show "You
are NOT connected to Tor network," most users wouldn't want to ignore
that as just a quirk.
True, but note the different scenario: here we are the ones that are
responsible for the TBB/Torbutton option. Thus, it falls into our bug
tracker. But on the other hand we are not maintaining NoScript nor are we
patching it before compiling or plan to do so. We just use a feature of it
as it is expected to work. If there are folks like you who want to have it
function in a different use-case as well, going to the NoScript author(s)
is the way to do it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20366#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list