[tor-bugs] #21270 [Applications/Tor Browser]: TBB noscript settings break WebExtensions addons
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 20 00:48:28 UTC 2017
#21270: TBB noscript settings break WebExtensions addons
------------------------------------------+----------------------
Reporter: replaythesong | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
In TBB 6.0.8, depending on the position of the security slider, NoScript
can end up blocking WebExtensions background scripts from running,
breaking some firefox addons entirely.
This occurs when security slider is medium-high or high, unless moz-
extension: is added to capability.policy.maonoscript.sites.
This bug does not seem to affect vanilla FF with latest NoScript
installed, unless capability.policy.maonoscript.sites is set to the value
used in TBB. Which is why I'm reporting it as a TBB bug, not a NoScript
bug.
NB This bug does not prevent WebExtension content scripts from running,
but blocking background scripts is still enough to break many
WebExtensions.
Suggested fix: default prefs shipped with TBB should include moz-
extension: in capability.policy.maonoscript.sites, (unless this has
undesired security outcomes that I'm not aware of).
Steps to reproduce
1. Create a directory somewhere called ping.
2. Create a file ping/manifest.json which contains:
{
"manifest_version": 2,
"name": "Ping Test",
"version": "1.0",
"description": "Tiny extension which pings the console from a bg
script.",
"background": {
"scripts": ["ping.js"]
},
"applications": {
"gecko": {
"id": "ping at ping.me",
"strict_min_version": "42.0",
"strict_max_version": "50.*"
}
}
}
3. Create a file ping/ping.js which simply contains:
console.log('ping');
4. Open Tor Browser, browse to about:config and set
xpinstall.signatures.required to false, so that we will be allowed to
install our own extensions.
5. Set security slider to medium-high.
6. Open Browser Console (Ctrl-Shift-J) and click 'Clear'.
7. Browse to about:debugging, click 'Load Temporary Addon' and select
ping/manifest.json.
8. Go to Browser Console and note that 'ping' has NOT appeared.
9. Set security slider to medium-low.
10. Browse to about:addons. Disable 'Ping Test' then re-enable it.
11. Go to Browser Console and note that 'ping' HAS now appeared.
12. Set security slider back to medium-high.
13. Browse to about:config and add " moz-extension:" to the end of
capability.policy.maonoscript.sites.
14. Clear the Browser Console.
15. Browse to about:addons. Disable 'Ping Test' then re-enable it.
16. Note that 'ping' HAS appeared.
17. To clean up, just remove 'Ping Test' and set
xpinstall.signatures.required and the security slider back to your
preferred settings.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21270>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list