[tbb-bugs] #34305 [Applications/Tor Browser]: NoScript inconsistent behaviour in Firefox 77 (currently beta)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 25 15:27:47 UTC 2020 

#34305: NoScript inconsistent behaviour in Firefox 77 (currently beta)
------------------------------------------+----------------------
     Reporter:  acat                      |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:  noscript
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 While working on fixing the testsuite (#27105) I ran into some
 inconsistent blocking behaviour of NoScript in a Tor Browser WIP build
 based on Firefox 77 beta.

 Basically, the issue is that with Tor Browser `Safer` NoScript
 configuration when visiting a `http:` page (containing a https: iframe)
 and then going to the `https:` version of the same page results in
 JavaScript being blocked, but it should not be. Manually reloading the
 `https:` page results in JavaScript being executed correctly.

 After some effort, I managed to reproduce in current Firefox 77 beta
 directly, more specifically:
 `f2e0df68e569b43ca337535927ed63068ed01c664eea7e397378cae668f63d0a
 firefox-77.0b9.tar.bz2`. Tested with NoScript 11.0.26 and 11.0.25.

 Steps to reproduce (in a fresh profile):

 - Install NoScript addon.

 - Go to NoScript options page (either via about:addons or via NoScript
 toolbar badge).

 - Enable "script" option and "Cascade top document's restrictions to
 subdocuments" in the General + Default tab.

 - Still in General, go to "UNTRUSTED" and enable "frame".

 - Go to "Per-site permission" tab and add a new rule: "http:" and mark it
 as "untrusted" (basically, setting non-https pages as untrusted).

 - Open a new tab and visit http://alltaken.xyz/https_iframe.html

 - When loaded, open a new tab and visit
 https://alltaken.xyz/https_iframe.html

 - Result: JavaScript is blocked, but it should not be. When the page is
 manually reloaded (press F5), the script is executed correctly, and the
 `JavaScriptEnabled` text is displayed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34305>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list