[tbb-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun May 5 22:53:55 UTC 2019 

#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Immediate                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Blocker                              |     Resolution:
 Keywords:  AffectsTails, TorBrowserTeam201905R  |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by cypherpunks):

 With apologies for the bugspam when devs are trying to ship an emergency
 fix - users really need a better workaround than disabling signature
 checks on add-ons, but also not to fall for security confusion!

 Replying to [comment:34 doomeinow]:
 > While toggling JavaScript to false with about:config disables
 JavaScript, things like HTML5 are still enabled, which means things like
 processor "speculative execution" vulnerabilities still exist (Meltdown,
 Foreshadow, Spectre).

 IIUC, all known speculative execution vulnerabilities require JavaScript.
 Perhaps you may be confused because JavaScript is loosely included in the
 marketspeak branding-term "HTML5".

 Anyway, as its name suggests, what NoScript does is mostly to disable or
 filter JavaScript. Setting `javascript.enabled` to `false` should provide
 a strict superset of the same functionality, ''except that'' (as I noted
 above) NoScript may also disable some other potentially high-risk features
 such as web fonts or audio/video media. Disabling JavaScript will indeed
 disable all the worst attack surfaces; anything else seems comparatively
 lower risk, in my opinion. In today's browsers, even HTML/CSS are not
 risk-free.

 I think that raising the Security Slider disables ''some'' dangerous
 features by directly changing the config, but I am not sure; on the other
 hand, I think that it does rely on NoScript to disable fonts and media
 (again, not sure).

 Information from Tor Browser developers would be helpful.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:36>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list