[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 17 08:45:39 UTC 2018
#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------+-------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: tbb-security, tbb-
Severity: Normal | torbutton, TorBrowserTeam201812
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
On level "safer" of our security slider we want to prevent executing
JavaScript if the URL bar domain is loaded over HTTP. That means even if
embedded content is loaded over HTTPS it's not allowed to load and execute
JavaScript that way. We used the `cascadePermissions` and the
`globalHttpsWhitelist` prefs for that in the XPCOM NoScript.
This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded
in a HTTP site context (as an example take
http://www.worldstarhiphop.com/featured/131305).
This got noted on our blog: https://blog.torproject.org/new-release-tor-
browser-85a6.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list