[tor-bugs] #27553 [Applications/Tor Browser]: Tor Browser 8 enables JS in local files even when JS is disabled by default
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 7 20:01:18 UTC 2018
#27553: Tor Browser 8 enables JS in local files even when JS is disabled by default
-------------------------------------+-------------------------------------
Reporter: pf.team | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: ff60-esr noscript
Severity: Major | javascript
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
Tor Browser 8.0 enables JS when opening local files, even when Javascript
is disabled by default. For example, the following test file:
<html>
<head>
<title>Page with JS</title>
</head>
<body>
<script>window.alert("JS enabled")</script>
</body>
</html>
would not display the message in version 7.5 or older, when NoScript is
set to "disable scripts globally", but in 8.0 the script will run and
display the message. The only way to avoid this behavior seems to be
setting javascript.enabled = false in about:config, but this disables
Javascript entirely.
This potentially allows to track users who saved some web pages with
tracking JS code to review locally later on, and then opened them in TB,
thinking that, since they set JS to be disabled by default in their
browser, this will also hold true for any local files. Especially
considering the fact, that this is how it used to work until now.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27553>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list