[tor-bugs] #26128 [Applications/Tor Browser]: Make security slider work with NoScript for ESR60

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 7 06:25:51 UTC 2018 

#26128: Make security slider work with NoScript for ESR60
---------------------------------------------+-----------------------------
 Reporter:  arthuredelstein                  |          Owner:  tbb-team
     Type:  defect                           |         Status:
                                             |  needs_review
 Priority:  Very High                        |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201806R  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
---------------------------------------------+-----------------------------
Changes (by arthuredelstein):

 * keywords:  ff60-esr, TorBrowserTeam201805 => ff60-esr,
     TorBrowserTeam201806R
 * status:  new => needs_review


Comment:

 Here's a patch for torbutton that talks to the WebExtensions version of
 NoScript:

 https://github.com/arthuredelstein/torbutton/commit/26128
 (7656b587d13aa6b0f90f0149d884aafa1cc65570)

 This patch uses three tricks:
  1. Using a LegacyExtensionContext (defined in [https://dxr.mozilla.org
 /mozilla-
 esr60/source/toolkit/components/extensions/LegacyExtensionsUtils.jsm
 LegacyExtensionsUtils.jsm]) to send JSON objects to NoScript via
 `sendMessage`.
  2. Taking advantage of an existing invocation of
 `browser.runtime.onMessage.addListener(...)` in NoScript's code that
 accepts a JSON object for updating NoScript's settings.
  3. Providing NoScript with settings for a "site" whose "domain" is
 "http:", which causes NoScript to match non-https sites.

 We may decide to tweak the capabilities for each security slider level; I
 tried to make them as close to the previous behavior as possible, but not
 sure if they're exactly as we want.

 One problem I ran into is that, even if I set NoScript 10.1.8.2 only
 "script" and "fetch" content while disallowing "object", "media", "frame",
 "font", "webgl", and "other", I can still watch videos on YouTube. So I
 think this is a NoScript bug rather than a problem with this patch.

 (Thanks to Sukhbir for help with this!)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26128#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list