[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 30 14:04:40 UTC 2018
#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------------------+-------------------------
Reporter: gk | Owner: ma1
Type: defect | Status: closed
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution: fixed
Keywords: noscript, tbb-security, tbb- | Actual Points:
torbutton, tbb-8.0-issues, tbb-regression, |
TorBrowserTeam201812R |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by ma1):
Replying to [comment:11 gk]:
> "only execute JavaScript loaded over HTTPS provided the URL bar domain
got loaded over HTTPS as well".
>
> E.g. it should not be possible that an exit node owner rewrites URLs in
a document loaded over HTTP, pointing to malicious JavaScript loaded over
HTTPS from a domain they control and getting that JavaScript executed in
Tor Browser if the user is on "safer".
OK, so as long as this is kept guaranteed (e.g. by checking whether the
subdocument has been granted its TRUSTED status by a domain-specific rule
or just by the generic "https:", as Tor does, and in the latter case
enforcing this "HTTPS only" policy) we're fine, right?
> I am fine adding additional code on our side for interacting with
NoScript to get that property if that helps you and other users of
NoScript who where complaining.
I'd actually like to at least have a sure-fire mean to tell whether we're
running in the Tor Browser or not, in order to enforce special cases which
are important for Tor users without affecting the general population.
> (FWIW: the .xpi on AMO does not have an "an" anymore indicating it works
on Android, is that intentional? Diffing 10.2.0 and 10.2.1 I think 10.2.1
should still do its job on Android, too, or am I overlooking something?)
No it was not intentional, it's just the AMO submission processwhich
doesn't default to both platforms being checked anymore, making mistakes
like this easier for stable releases, whose submissions cannot be
automated :(
Thanks for noticing it!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list