[tbb-bugs] #27651 [Applications/Tor Browser]: Behaviour of NoScript varies in "privileged" sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 13 11:18:37 UTC 2018
#27651: Behaviour of NoScript varies in "privileged" sites
--------------------------------------+-----------------------------------
Reporter: cypherpunks3 | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by cypherpunks3):
Replying to [comment:1 gk]:
> No, we don't ship a custom NoScript. In which way does NoScript's
behavior vary for restricted (not privileged) domains? What is the bug
here?
Currently there seem to be 2 places where this affects NS behaviour. The
most interesting is in popup.js:
{{{
await include("/lib/restricted.js");
let isRestricted = isRestrictedURL(tab.url);
if (!isHttp || isRestricted) {
showMessage("warning", _("privilegedPage"));
let tempTrust = document.getElementById("temp-trust-page");
tempTrust.disabled = true;
return;
}
}}}
> restricted (not privileged) domains
Huh? Perhaps you meant "not privileged from the point of view of TB", but
surely you can see the point here: even if TB doesn't consider them
privileged, NS is still behaving as if running on Firefox, and doesn't ask
the browser it simply looks up in a list of hardcoded domains. So maybe
now the variance is not very troubling, but what about tomorrow?
Also calling the domain "restricted" instead of privileged is exactly
backwards, is not the site that is restricted, but NoScript!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27651#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list