[tor-bugs] #27427 [Applications/Tor Browser]: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 12 09:16:32 UTC 2018 

#27427: [PATCH] Fix NoScript IPC for about:blank by whitelisting messages
-------------------------------------------------+-------------------------
 Reporter:  rustybird                            |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201809R,               |  Actual Points:
  tbb-8.0.1-can                                  |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by rustybird):

 > Thanks, I have always used about:blank. But what exactly is the failure
 mode here? Torbutton failing to re-configure NoScript?

 Yup. On browser startup with `about:blank`, Torbutton's intended
 JavaScript configuration is not transmitted to NoScript, and Tor Browser
 logs a "Could not establish connection. Receiving end does not exist"
 error in the Browser Console and also in the terminal if it's running with
 `--verbose`. (This is most noticable on first start of a freshly installed
 browser, when the Torbutton defaults and the NoScript defaults are very
 different. Once you manually change the security slider position and
 confirm, both of their settings sync up, and then NoScript will save them
 to disk and the problem should sort of disappear. That is, unless a system
 crash or something causes a new desynchronization.)

 Interestingly, this bug recently triggered for me //once// with with
 `data:,`. I'm running [https://github.com/rustybird/qubes-split-browser a
 setup] where Tor Browser is started "freshly installed" dozens of times a
 day, so I figure that using `data:,` instead of `about:blank` just makes
 the race much less likely to be "won" by the bug, but not impossible.
 Which could mean that it occasionally affects real websites as well.
 Hopefully, the patch fixes all of those cases.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27427#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list