[tor-bugs] #17917 [Applications/Tor Browser]: Changelog after update is empty if JS is disabled

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 12 15:54:36 UTC 2016 

#17917: Changelog after update is empty if JS is disabled
--------------------------------------------+------------------------
 Reporter:  gk                              |          Owner:  mcs
     Type:  defect                          |         Status:  closed
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:  fixed
 Keywords:  tbb-5.5, TorBrowserTeam201601R  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+------------------------

Comment (by ma1):

 Replying to [comment:24 bugzilla]:
 > Replying to [comment:16 mcs]:
 > > Maybe NoScript's behavior was modified at some point and we need to
 list the full URL for each about:... page. Should I ask Giorgio Maone?
 > You really should. Because about:cache is broken the same way, and who
 knows what else.

 At a certain point Mozilla phased out CAPS, which was the original
 declarative subsystem which NoScript relied upon for script blocking, and
 which automatically "knew" about internal about:xyz URIs marked as
 privileged, leaving them alone even if they were not whitelisted. In that
 context, an about URI not matching NoScript's whitelist was still capable
 of running scripts ''if privileged'' (e.g. about:addons), causing only a
 cosmetic UI mismatch (you would see it as forbidden in NoScript's UI while
 it worked anyway).
 Once CAPS has been removed, I had to switch to a completely different
 script-blocking approach, which programmatically checks each page's URL
 just before HTML parsing (and therefore script execution) starts and set
 "script blocked" flag at the window level. This flag is not overridden by
 "privileged" about: URIs, therefore if they're not whitelisted in NoScript
 they won't run scripts.
 From then on, whatever the UI says is in sync with the actual page status,
 but on the other hand if Mozilla adds new about: pages which require
 scripts (or starts requiring scripts for an existent about: page which
 could previously work without) it either needs to be manually whitelisted
 or, since we generally trust privileged browser code, it's preferably
 added to noscript.mandatory. Which, as you noticed, is not always up to
 date.
 As soon as I'm done with my current top priorities (e10s full
 compatibility and WebExtensions migration) I'll try to figure out a way to
 automatically keep in sync privileged about: URIs, if possible.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17917#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list