[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 17 10:48:33 UTC 2018 

#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  reopened
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  noscript, tbb-security, tbb-         |  Actual Points:
  torbutton, tbb-8.0-issues, tbb-regression,     |
  TorBrowserTeam201812                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Description changed by gk:

Old description:

> On level "safer" of our security slider we want to prevent executing
> JavaScript if the URL bar domain is loaded over HTTP. That means even if
> embedded content is loaded over HTTPS it's not allowed to load and
> execute JavaScript that way. We used the `cascadePermissions` and the
> `globalHttpsWhitelist` prefs for that in the XPCOM NoScript.
>
> This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded
> in a HTTP site context (as an example take
> http://www.worldstarhiphop.com/featured/131305).
>
> This got noted on our blog: https://blog.torproject.org/new-release-tor-
> browser-85a6.

New description:

 On level "safer" of our security slider we want to prevent executing
 JavaScript if the URL bar domain is loaded over HTTP. That means even if
 embedded content is loaded over HTTPS it's not allowed to load and execute
 JavaScript that way. We used the `cascadePermissions` and the
 `globalHttpsWhitelist` prefs for that in the XPCOM NoScript.

 This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded
 in a HTTP site context (as an example take
 http://www.worldstarhiphop.com/featured/131305).

 This got noted on our blog:
 https://blog.torproject.org/comment/278987#comment-278987.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list