[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 30 14:04:40 UTC 2018 

#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  ma1
     Type:  defect                               |         Status:  closed
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:  noscript, tbb-security, tbb-         |  Actual Points:
  torbutton, tbb-8.0-issues, tbb-regression,     |
  TorBrowserTeam201812R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ma1):

 Replying to [comment:11 gk]:
 >  "only execute JavaScript loaded over HTTPS provided the URL bar domain
 got loaded over HTTPS as well".
 >
 > E.g. it should not be possible that an exit node owner rewrites URLs in
 a document loaded over HTTP, pointing to malicious JavaScript loaded over
 HTTPS from a domain they control and getting that JavaScript executed in
 Tor Browser if the user is on "safer".

 OK, so as long as this is kept guaranteed (e.g. by checking whether the
 subdocument has been granted its TRUSTED status by a domain-specific rule
 or just by the generic "https:", as Tor does, and in the latter case
 enforcing this "HTTPS only" policy) we're fine, right?

 > I am fine adding additional code on our side for interacting with
 NoScript to get that property if that helps you and other users of
 NoScript who where complaining.

 I'd actually like to at least have a sure-fire mean to tell whether we're
 running in the Tor Browser or not, in order to enforce special cases which
 are important for Tor users without affecting the general population.

 > (FWIW: the .xpi on AMO does not have an "an" anymore indicating it works
 on Android, is that intentional? Diffing 10.2.0 and 10.2.1 I think 10.2.1
 should still do its job on Android, too, or am I overlooking something?)

 No it was not intentional, it's just the AMO submission processwhich
 doesn't default to both platforms being checked anymore, making mistakes
 like this easier for stable releases, whose submissions cannot be
 automated :(

 Thanks for noticing it!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list