[tor-bugs] #32429 [Applications/Tor Browser]: Issues with about:blank and NoScript on .onion sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 8 12:54:22 UTC 2019


#32429: Issues with about:blank and NoScript on .onion sites
--------------------------------------+--------------------------
 Reporter:  pf.team                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  about:blank noscript      |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Old description:

> Tor Browser: 9.0.1 (based on Mozilla Firefox 68.2.0esr) (64-bit) (Linux)
>
> NoScript displays the following weird behavior on *.onion sites when the
> home page is changed from its default "about:tor" to "about:blank":
>
> * Impossible to forbid scripts on the Standard security level
> * Impossible to allow scripts on the Safest security level by setting
> TRUSTED/Temp. or TRUSTED/Custom. Scripts can only be enabled by disabling
> restrictions for this tab or disabling restrictions globally.
>
> The first issue misleads the user about actual security settings, the
> second breaks functionality on sites.
> We suspect that other functions or extensions of the browser may be
> broken when "about:tor" is replaced with "about:blank" as the default
> home page.
>
> These issues do not affect clearnet sites and local files. They are also
> absent if the default home page is changed do some URL or any other
> special page like "about:logo" or "about:library".
>
> These issues were absent in versions 8.5.* and 9.0
>
> How to reproduce:
>
> # Preferences => Home => Homepage and new windows => Blank Page
> # Open one of these URL to demonstrate:
> ** http://mysecret7rirx6ip.onion/test-js.html
> ** http://mysecretvrujzo2k.onion/test-js.html
> # Restart browser
> # Try to disallow scripts Standard or allow on Safest
>
> Example HTML/JS code:
>
> <pre>
> <html lang="en">
>     <head>
>         <title>Tor Browser 9.0.1 NoScript bug demonstration</title>
>         <meta name="description" content="Tor Browser 9.0.1 NoScript bug
> demonstration" />
>     </head>
>     <body>
>         <div id="center-link">
>             <script>document.write("<span style='color:red; font-weight:
> bold'>Java Script works</span>")</script>
>             <noscript><span style='color:green'>Java Script doesn't
> work</span></noscript>
>         </div>
>     </body>
> </html>
> </pre>

New description:

 Tor Browser: 9.0.1 (based on Mozilla Firefox 68.2.0esr) (64-bit) (Linux)

 NoScript displays the following weird behavior on *.onion sites when the
 home page is changed from its default "about:tor" to "about:blank":

 * Impossible to forbid scripts on the Standard security level
 * Impossible to allow scripts on the Safest security level by setting
 TRUSTED/Temp. or TRUSTED/Custom. Scripts can only be enabled by disabling
 restrictions for this tab or disabling restrictions globally.

 The first issue misleads the user about actual security settings, the
 second breaks functionality on sites.
 We suspect that other functions or extensions of the browser may be broken
 when "about:tor" is replaced with "about:blank" as the default home page.

 These issues do not affect clearnet sites and local files. They are also
 absent if the default home page is changed do some URL or any other
 special page like "about:logo" or "about:library".

 These issues were absent in versions 8.5.* and 9.0

 How to reproduce:

 # Preferences => Home => Homepage and new windows => Blank Page
 # Restart browser
 # Open one of these URL to demonstrate:
   * http://mysecret7rirx6ip.onion/test-js.html
   * http://mysecretvrujzo2k.onion/test-js.html
 # Try to disallow scripts Standard or allow on Safest

 Example HTML/JS code:

 {{{
 <pre>
 <html lang="en">
     <head>
         <title>Tor Browser 9.0.1 NoScript bug demonstration</title>
         <meta name="description" content="Tor Browser 9.0.1 NoScript bug
 demonstration" />
     </head>
     <body>
         <div id="center-link">
             <script>document.write("<span style='color:red; font-weight:
 bold'>Java Script works</span>")</script>
             <noscript><span style='color:green'>Java Script doesn't
 work</span></noscript>
         </div>
     </body>
 </html>
 </pre>
 }}}

--

Comment (by Thorin):

 > Sorry, the "Restart browser" step must be before the demonstration step

 I edited it for you

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32429#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list