[tor-bugs] #27589 [- Select a component]: "Javascript is disabled on non-HTTPS sites" from security slider has regressed in TBB 8 / NoScript 10

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Sep 9 08:40:39 UTC 2018


#27589: "Javascript is disabled on non-HTTPS sites" from security slider has
regressed in TBB 8 / NoScript 10
--------------------------------------+---------------------------------
     Reporter:  cypherpunks_reply     |      Owner:  (none)
         Type:  enhancement           |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:  noscript regression
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+---------------------------------
 Formerly this feature was accomplished by a NoScript setting that allowed
 scripts on HTTPS sites.  Allowing scripts on an HTTP site through the
 NoScript button only allowed them for that particular site.

 Now, this feature relies on a per-site permission in NoScript that applies
 the Untrusted rules to the special "http://http:" site.  Allowing a single
 HTTP site to run scripts requires applying the Default or Trusted rules to
 the "http://http:" site in the NoScript button UI.  This has the undesired
 effect or granting these permissions to all HTTP sites for the browsing
 session.

 Furthermore, changing a per-site permission to default deletes it from the
 per-site permissions list in NoScript settings.  Users cannot restore the
 setting manually because "http://http:" is not accepted by the settings UI
 as a valid input.  To stop allowing scripts on subsequent visits to HTTP
 sites they must toggle the security slider settings, or import a settings
 backup to NoScript, or restart the browser.

 If the above were fixed, and each HTTP site was given its own per-site
 permission there is an additional problem.  There is no "Temp. Default"
 option, only "Temp. Trusted," but only the default rules are required to
 allow script execution.  This makes it tempting to give HTTP sites Temp.
 Trusted permissions so that the Revoke Temporary Permissions button will
 apply to them.  At present, restarting the browser will reset all per-site
 permissions, but this may be changed (see #27175).  If per-site
 permissions are saved, users will be forced to choose between granting
 temporary but excessive permissions, or risk storing a record of their
 browsing history.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27589>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list