[tbb-bugs] #15225 [Tor Browser]: Investigate why Atlas does not work with the medium-high security slider setting
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 11 14:49:16 UTC 2015
#15225: Investigate why Atlas does not work with the medium-high security slider
setting
-----------------------------+-------------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: needs_information
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords:
Actual Points: | Parent ID: #9387
Points: |
-----------------------------+-------------------------------
Changes (by gk):
* cc: ma1 (added)
* status: new => needs_information
Comment:
Yeah, I saw that (re comment 1) and yes, it is still an issue. But the IE
snippet does not get loaded in Tor Browser at all as far as I can see. The
issue is a NoScript one. Here is what happens:
Consider https://atlas.torproject.org/#search/DFRIpi.
Looking at NoScript's isJSEnabled() all scripts for atlas.torproject.org
get loaded. But then onionoo.torproject.org gets called to check for the
DFRIpi relays. We have a window for it and `enabled` gets set to `true`
due to the globalHTTPSWhitelist option. `topSite` is still
`https://atlas.torproject.org`. Thus, we need to do another check
{{{
enabled = this.isJSEnabled(topSite);
}}}
and this returns `false` as there is no window for
https://atlas.torproject.org we pass anymore. Thus, scripts loaded from
https://onionoo.torproject.org are blocked despite the site that is
responsible for the call and the script is self is HTTPS-enabled.
Giorgio, does anything speak against passing the window to
`isJSEnabled()`? (Might be needed in the iframe case, too? I have not
checked that yet)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15225#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list