[tor-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 6 18:15:27 UTC 2019


#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Immediate                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  AffectsTails, TorBrowserTeam201905R  |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by torlove):

 So glad that I still have old Orfox installed right now. NoScript still
 works in Orfox, it must've been "baked in", yes?

 Cypherpunks, yes. I considered simply disabling JS but the other things
 NoScript does, including protecting against XSS made me rethink that.
 Fingerprinting included.

 Yes, can somone please do a commit to show a warning about
 xpinstall.signatures.required set to false on startup?

 (SOLUTION THAT WON'T WORK: I did some research at Mozilla, mostly to
 determine the scale of the problem. Its pretty bad. Especially for users
 who depend on password management addons. One (bad?) idea someone
 suggested was to turn the clock back. I'm quite certain that this is not
 an option for Tor users for good reason, Tor complains about an out of
 sync clock at startup and will not even connect to the Tor network, let
 along a website. Also SSL requires clocks to be relatively in-sync, if my
 understanding/memory is correct.)

 Once the commit is made please tell us to allay concerns about future
 security.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:49>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list