[tor-bugs] #10464 [Tor bundles/installation]: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 22 07:30:00 UTC 2013
#10464: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally
forbidden
------------------------------------------+-------------------
Reporter: torar | Owner: erinn
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
------------------------------------------+-------------------
Comment (by mikeperry):
Ah crap. This should be https://addons.mozilla.org at the very least.
On the one hand, if javascript is disabled on a.m.o, I think that addons
cannot be verified (because they are downloaded over http, but verified
with JS sourced from https://addons.mozilla.org). On the other hand, due
to the weak pinning (I believe only the common name of the CA is pinned),
maybe even https://addons.mozilla.org is too much to default whitelist?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10464#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list