[tor-bugs] #27589 [- Select a component]: "Javascript is disabled on non-HTTPS sites" from security slider has regressed in TBB 8 / NoScript 10
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Sep 9 08:40:39 UTC 2018
#27589: "Javascript is disabled on non-HTTPS sites" from security slider has
regressed in TBB 8 / NoScript 10
--------------------------------------+---------------------------------
Reporter: cypherpunks_reply | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords: noscript regression
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+---------------------------------
Formerly this feature was accomplished by a NoScript setting that allowed
scripts on HTTPS sites. Allowing scripts on an HTTP site through the
NoScript button only allowed them for that particular site.
Now, this feature relies on a per-site permission in NoScript that applies
the Untrusted rules to the special "http://http:" site. Allowing a single
HTTP site to run scripts requires applying the Default or Trusted rules to
the "http://http:" site in the NoScript button UI. This has the undesired
effect or granting these permissions to all HTTP sites for the browsing
session.
Furthermore, changing a per-site permission to default deletes it from the
per-site permissions list in NoScript settings. Users cannot restore the
setting manually because "http://http:" is not accepted by the settings UI
as a valid input. To stop allowing scripts on subsequent visits to HTTP
sites they must toggle the security slider settings, or import a settings
backup to NoScript, or restart the browser.
If the above were fixed, and each HTTP site was given its own per-site
permission there is an additional problem. There is no "Temp. Default"
option, only "Temp. Trusted," but only the default rules are required to
allow script execution. This makes it tempting to give HTTP sites Temp.
Trusted permissions so that the Revoke Temporary Permissions button will
apply to them. At present, restarting the browser will reset all per-site
permissions, but this may be changed (see #27175). If per-site
permissions are saved, users will be forced to choose between granting
temporary but excessive permissions, or risk storing a record of their
browsing history.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27589>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list