[tbb-bugs] #32492 [Applications/Tor Browser]: Unexpected NoScript behavior when security level is pinned using user.js
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 14 10:16:30 UTC 2019
#32492: Unexpected NoScript behavior when security level is pinned using user.js
--------------------+------------------------------------------
Reporter: kj | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Component: Applications/Tor Browser
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------+------------------------------------------
If a Tor Browser user attempts to pin the security level using
{{{user.js}}} (see below), Tor Browser will launch with the pinned
security level, but NoScript will not respect that choice and instead
retain its previous behavior. For example, if the user attempts to pin the
security level to "Safest" using {{{user.js}}}, closes Tor Browser with
the security level set to "Safer" and then re-launches Tor Browser,
NoScript will behave as though the security setting is "Safer", blocking
non-HTTPS JavaScript but allowing HTTPS JavaScript to run.
This behavior is potentially dangerous because the user will believe all
Tor Browser security features will follow the user's pinned choice and the
user will see the shield icon appearance according to their chosen pinned
security level, but NoScript may behave differently. For example, NoScript
may run JavaScript without the user's knowledge if the user pins the
security level to "Safest".
Reproduced in:
- Tor Browser 9.0 and 9.0.1 (the first affected version is unknown)
- NoScript 11.0.8 (the first affected version is unknown)
- Debian 9 (stretch)
How to reproduce:
- {{{user.js}}} allows pinning of Tor Browser (Firefox) parameters upon
launch.
1. Create {{{user.js}}} in: {{{<tor-browser-
top>/Browser/TorBrowser/Data/Browser/profile.default/}}}
2. Pin the security level to "Safest". Add the line:
{{{user_pref("extensions.torbutton.security_slider", 1);}}}
3. Launch Tor Browser, change the security level from "Safest" to
something different, then close Tor Browser.
4. Launch Tor Browser again, and confirm the security level is set to
"Safest".
5. Access a website that requires JavaScript to work properly.
6. Confirm whether or not JavaScript is running.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32492>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list