[tbb-bugs] #32786 [Applications/Tor Browser]: NoScript policies don't work with default page set to about:blank

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 17 17:57:23 UTC 2019 

#32786: NoScript policies don't work with default page set to about:blank
-------------------------------+------------------------------------------
 Reporter:  pf.team            |          Owner:  tbb-team
     Type:  defect             |         Status:  new
 Priority:  High               |      Component:  Applications/Tor Browser
  Version:                     |       Severity:  Normal
 Keywords:  NoScript prefs.js  |  Actual Points:
Parent ID:                     |         Points:
 Reviewer:                     |        Sponsor:
-------------------------------+------------------------------------------
 Issue similar to #32429, but arises under more narrow conditions - such as
 when you manually edit settings via prefs.js using automated configuration
 tools.

 How to reproduce the bug:

 1. Unpack Tor Browser, start it for the first time, exit.
 2. Edit the following parameters via prefs.js:
   * browser.startup.homepage = "about:blank"
   * extensions.torbutton.security_slider = 1
 3. Launch TB again, set Security Level to Safest, which is supposed to
 block JS everywhere.
 4. Load the test page and see for yourself that JS is not blocked:
 http://mysecret7rirx6ip.onion/test-js.html http://mysecretvrujzo2k.onion
 /test-js.html

 If the security settings are changed to Low, and then back to Safest, the
 bug will disappear and JS will be blocked everywhere by default.

 Causes of this bug:

 The "key-policy" setting in NoScript (found in
 Browser/TorBrowser/Data/Browser/profile.default/storage-sync.sqlite) has
 the following value by default:

 {"id":"key-
 policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["font","frame","media"],"temp":false},"sites":{"trusted":[],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}

 This allows all content by default:
 "DEFAULT":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"]

 This setting is not set to the value corresponding to the Safest security
 level ("DEFAULT":{"capabilities":["frame","other"]) when the add-on is
 initialized on browser launch, even if this level is set in  prefs.js.

 This issue misleads users who utilise automated configuration systems to
 configure their Tor Browser instances. It was not present in versions 8.*
 and 9.0.0.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32786>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list