[tor-bugs] #26624 [Applications/Tor Browser]: NoScript blocks <OBJECT> on Standard-Safer security setting in 8.0a9 contrary to behavior in 8.0a8
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Sep 12 06:23:05 UTC 2018
#26624: NoScript blocks <OBJECT> on Standard-Safer security setting in 8.0a9
contrary to behavior in 8.0a8
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security-slider, noscript, | Actual Points:
tbb-8.0-issues, tbb-regression, |
tbb-8.0.1-can, GeorgKoppen201809, |
TorBrowserTeam201809R |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* cc: arthuredelstein (added)
* status: new => needs_review
* keywords:
tbb-security-slider, noscript, tbb-8.0-issues, tbb-regression,
tbb-8.0.1-can, GeorgKoppen201809
=>
tbb-security-slider, noscript, tbb-8.0-issues, tbb-regression,
tbb-8.0.1-can, GeorgKoppen201809, TorBrowserTeam201809R
Comment:
See `bug_26624`
(https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_26624&id=8418acef23573dcd63a4bc2e04fac22bda7a25ba)
in my public Torbutton repo for a fix for review.
I think it is okay to allow OBJECT for http:// on the safer level as well
as there is a special permission `fetch` which is used for
`object_subrequest` and which is not enabled for http:// on the safer
level. Thus, it should prevent loading scripts from http:// sources behind
OBJECT elements.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26624#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list