[tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 1 18:27:12 UTC 2020
#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-------------------------------------------------+-------------------------
Reporter: catalyst | Owner: tbb-
| team
Type: defect | Status:
| needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-disk-leak, tbb-newnym, noscript | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by ma1):
Just to be clear, 11.0.27 in PBM tabs/windows does the following:
1. Disables any contextual widget (in tab-originated the popups) leading
to give permanent permissions (and therefore URLs to persisted on the
disk): therefore you can only set Temp. TRUSTED or Temp. CUSTOM (neither
TRUSTED, UNTRUSTED or permanent CUSTOM) unless that was the setting when
the UI popup has been opened
2. When unblocking a media element, the permission is always marked as
temporary and never persisted to the disk.
Of course you can still turn the temporary permissions to permanent from
the "Per-site preferences" options panel, if you really want to.
I'm not sure whether 1 is too strict for people who intentionally checked
"override Tor Browser security policies", since this would erase any
permission customization on browser restarts (as all Tor Browser windows
are incognito, right?), but it seemed a transparent middle-way to help
them not to shoot themselves in the foot. What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29957#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list