[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 30 13:36:30 UTC 2018 

#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  ma1
     Type:  defect                               |         Status:  closed
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:  noscript, tbb-security, tbb-         |  Actual Points:
  torbutton, tbb-8.0-issues, tbb-regression,     |
  TorBrowserTeam201812R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_information => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:10 ma1]:
 > An afterthough: some users are complaining that having TRUSTED subframes
 constrained by DEFAULT/UNTRUSTED parent document is annoying, if not
 disfunctional: for instance if you've set Youtube to TRUSTED, embedded
 movies used to work without the need of raising privileges of the parent
 page. One may object that you could always use "show only this frame", but
 do we really have a strong case here for cascading inline restrictions to
 trusted subdocuments? What's the threat model we're guarding against
 (beside clickjacking, which is orthogonal to scripting though)?

 The idea is to defend against malicious exit nodes or other attackers on
 the wire who want to inject and execute malicious JavaScript despite the
 user setting the security slider to "safer", which means (among other
 things) "only execute JavaScript loaded over HTTPS provided the URL bar
 domain got loaded over HTTPS as well".

 E.g. it should not be possible that an exit node owner rewrites URLs in a
 document loaded over HTTP, pointing to malicious JavaScript loaded over
 HTTPS from a domain they control and getting that JavaScript executed in
 Tor Browser if the user is on "safer".

 I am fine adding additional code on our side for interacting with NoScript
 to get that property if that helps you and other users of NoScript who
 where complaining.

 That said, this bug got fixed with the update to NoScript 10.2.1 on
 `master` (commit b32e182633bba7733b635bc5dd0fcbd55436f4d7) and `maint-8.0`
 (commit b35cea6792f294d0a625fde5595f1c96a8a2a72a).

 (FWIW: the .xpi on AMO does not have an "an" anymore indicating it works
 on Android, is that intentional? Diffing 10.2.0 and 10.2.1 I think 10.2.1
 should still do its job on Android, too, or am I overlooking something?)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list