[tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 12 14:20:27 UTC 2017
#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-------------------------------------+-------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: noscript, tbb-
Severity: Normal | usability-website, ff52-esr
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
In
{{{
isGlobalHttps: function(win, /*optional */ s) {
let allow = false;
if (s && !this._isHttpsAndNotUntrusted(s)) return false;
for (;; win = win.parent) {
let site =
this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
if (!(allow = s && site === s || this._isHttpsAndNotUntrusted(site))
|| win === win.parent)
break;
s = site;
}
return allow;
},
}}}
{{{
let site =
this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
}}}
breaks as `win` is `null`.
This happens on a Tor Browser nightly with e10s enabled and based on ESR52
(tested on Linux 64 bits). The result is that the NoScript icon does not
get updated anymore and I guess all JS is disabled (I have not verified
that).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21923>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list