[tbb-bugs] #32429 [Applications/Tor Browser]: Issues with about:blank and NoScript on .onion sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 8 08:18:22 UTC 2019 

#32429: Issues with about:blank and NoScript on .onion sites
--------------------------------+------------------------------------------
 Reporter:  pf.team             |          Owner:  tbb-team
     Type:  defect              |         Status:  new
 Priority:  High                |      Component:  Applications/Tor Browser
  Version:                      |       Severity:  Major
 Keywords:  about:blank         |  Actual Points:
  noscript                      |
Parent ID:                      |         Points:
 Reviewer:                      |        Sponsor:
--------------------------------+------------------------------------------
 Tor Browser: 9.0.1 (based on Mozilla Firefox 68.2.0esr) (64-bit) (Linux)

 NoScript displays the following weird behavior on *.onion sites when the
 home page is changed from its default "about:tor" to "about:blank":

 * Impossible to forbid scripts on the Standard security level
 * Impossible to allow scripts on the Safest security level by setting
 TRUSTED/Temp. or TRUSTED/Custom. Scripts can only be enabled by disabling
 restrictions for this tab or disabling restrictions globally.

 The first issue misleads the user about actual security settings, the
 second breaks functionality on sites.
 We suspect that other functions or extensions of the browser may be broken
 when "about:tor" is replaced with "about:blank" as the default home page.

 These issues do not affect clearnet sites and local files. They are also
 absent if the default home page is changed do some URL or any other
 special page like "about:logo" or "about:library".

 These issues were absent in versions 8.5.* and 9.0

 How to reproduce:

 # Preferences => Home => Homepage and new windows => Blank Page
 # Open one of these URL to demonstrate:
 ** http://mysecret7rirx6ip.onion/test-js.html
 ** http://mysecretvrujzo2k.onion/test-js.html
 # Restart browser
 # Try to disallow scripts Standard or allow on Safest

 Example HTML/JS code:

 <pre>
 <html lang="en">
     <head>
         <title>Tor Browser 9.0.1 NoScript bug demonstration</title>
         <meta name="description" content="Tor Browser 9.0.1 NoScript bug
 demonstration" />
     </head>
     <body>
         <div id="center-link">
             <script>document.write("<span style='color:red; font-weight:
 bold'>Java Script works</span>")</script>
             <noscript><span style='color:green'>Java Script doesn't
 work</span></noscript>
         </div>
     </body>
 </html>
 </pre>

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32429>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list