[tor-bugs] #15514 [Tor Browser]: Trim the NoScript whitelist
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 30 20:20:41 UTC 2015
#15514: Trim the NoScript whitelist
-------------------------------------------------+-------------------------
Reporter: mikeperry | Owner: tbb-
Type: defect | team
Priority: normal | Status: new
Component: Tor Browser | Milestone:
Keywords: TorBrowserTeam201504, tbb-4.5-alpha | Version:
Parent ID: | Actual Points:
| Points:
-------------------------------------------------+-------------------------
The NoScript whitelist currently allows blob: URLs, all about: URLs, and
chrome: URLs.
We definitely want to remove blob: URLs, because of #15502. We also don't
appear to need chrome: URLs, and Giorgio recommends we remove the blanket
allow on about: URLs in favor of a the list of specific about urls we know
we need.
We do need resource: urls for pdf.js though. For some reason, the
cascading permissions does not properly allow them in pdf.js when you
click "Temporarily allow all this page".
Unfortunately, updating this list is not easy. We need to push an update
in extension-overrides.js to set 'noscript.mandatory' and
'noscript.default', but that will not affect
'capability.policy.maonoscript.sites' for people who upgrade. Hence we
need to add one-time code to Torbutton that removes the extra schemes from
'capability.policy.maonoscript.sites' and sets a pref so it doesn't do it
again.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15514>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list