[tor-bugs] #32492 [Applications/Tor Browser]: Unexpected NoScript behavior when security level is pinned using user.js

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 14 10:16:30 UTC 2019


#32492: Unexpected NoScript behavior when security level is pinned using user.js
--------------------+------------------------------------------
 Reporter:  kj      |          Owner:  tbb-team
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Component:  Applications/Tor Browser
  Version:          |       Severity:  Normal
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+------------------------------------------
 If a Tor Browser user attempts to pin the security level using
 {{{user.js}}} (see below), Tor Browser will launch with the pinned
 security level, but NoScript will not respect that choice and instead
 retain its previous behavior. For example, if the user attempts to pin the
 security level to "Safest" using {{{user.js}}}, closes Tor Browser with
 the security level set to "Safer" and then re-launches Tor Browser,
 NoScript will behave as though the security setting is "Safer", blocking
 non-HTTPS JavaScript but allowing HTTPS JavaScript to run.

 This behavior is potentially dangerous because the user will believe all
 Tor Browser security features will follow the user's pinned choice and the
 user will see the shield icon appearance according to their chosen pinned
 security level, but NoScript may behave differently. For example, NoScript
 may run JavaScript without the user's knowledge if the user pins the
 security level to "Safest".

 Reproduced in:
 - Tor Browser 9.0 and 9.0.1 (the first affected version is unknown)
 - NoScript 11.0.8 (the first affected version is unknown)
 - Debian 9 (stretch)

 How to reproduce:
 - {{{user.js}}} allows pinning of Tor Browser (Firefox) parameters upon
 launch.
 1. Create {{{user.js}}} in: {{{<tor-browser-
 top>/Browser/TorBrowser/Data/Browser/profile.default/}}}
 2. Pin the security level to "Safest". Add the line:
 {{{user_pref("extensions.torbutton.security_slider", 1);}}}
 3. Launch Tor Browser, change the security level from "Safest" to
 something different, then close Tor Browser.
 4. Launch Tor Browser again, and confirm the security level is set to
 "Safest".
 5. Access a website that requires JavaScript to work properly.
 6. Confirm whether or not JavaScript is running.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32492>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list