[tor-bugs] #27313 [Applications/Tor Browser]: Help NoScript marking HTTP .onions as secure

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 9 14:36:31 UTC 2019 

#27313: Help NoScript marking HTTP .onions as secure
--------------------------------------+---------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  noscript                  |  Actual Points:
Parent ID:  #21728                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor27
--------------------------------------+---------------------------

Comment (by gk):

 Replying to [comment:7 ma1]:
 > Replying to [comment:6 gk]:
 >
 > > Thanks, that's better. There is still the scary http: in red which
 should not be relevant for .onions either.
 >
 > If you mean the lonesome "http:" entry which is displayed on any
 http://acme.com page at your "Safer" security level, don't you think I
 should just hide it for any website (in the popup at least, if not
 NoScript's Options page)? After all, rather than downgrading the whole
 security level from the popup menu by setting "http:" to DEFAULT or
 TRUSTED, we want user to interact with the security slider, don't we?

 Yeah, I meant that and hiding that lonesome "http:" sounds good.

 > > Additionally, the expectation here is that onions over http:// on
 medium level security can actually run JavaScript etc. because http:// is
 secure for .onion domains They should get treated as loaded over https://.
 Could you address those two items for Tor Browser users? (I am fine
 opening a new bug for the latter if you like)
 >
 > Yes, please. On ticket #27307 someone stated that was not the goal.

 Actually, we already have a ticket for that: #21004.

 > > 1) After installing it in the browser I needed to click twice on the
 NoScript icon until the page related info showed up. On first click only a
 small empty menu was visible.
 > > 2) After restarting the browser it takes like 5-10 second until the
 NoScript icon gets clickable at all and CPU of my laptop gets eaten
 meanwhile. There is something computationally heavy going on in the
 background here...
 >
 > The two are likely related. Did you have many tabs opened when
 installing?

 I did not. Let me retest and get back to you with steps to reproduce.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27313#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list