[tor-bugs] #28873 [Applications/Tor Browser]: Cascading of permissions does not seem to work properly in Tor Browser 8

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 8 10:58:37 UTC 2019 

#28873: Cascading of permissions does not seem to work properly in Tor Browser 8
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  ma1
     Type:  defect                               |         Status:  closed
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:  noscript, tbb-security, tbb-         |  Actual Points:
  torbutton, tbb-8.0-issues, tbb-regression,     |
  TorBrowserTeam201812R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:12 ma1]:
 > Replying to [comment:11 gk]:
 > >  "only execute JavaScript loaded over HTTPS provided the URL bar
 domain got loaded over HTTPS as well".
 > >
 > > E.g. it should not be possible that an exit node owner rewrites URLs
 in a document loaded over HTTP, pointing to malicious JavaScript loaded
 over HTTPS from a domain they control and getting that JavaScript executed
 in Tor Browser if the user is on "safer".
 >
 > OK, so as long as this is kept guaranteed (e.g. by checking whether the
 subdocument has been granted its TRUSTED status by a domain-specific rule
 or just by the generic "https:", as Tor does, and in the latter case
 enforcing this "HTTPS only" policy) we're fine, right?

 I think so, yes.

 > > I am fine adding additional code on our side for interacting with
 NoScript to get that property if that helps you and other users of
 NoScript who where complaining.
 >
 > I'd actually like to at least have a sure-fire mean to tell whether
 we're running in the Tor Browser or not, in order to enforce special cases
 which are important for Tor users without affecting the general
 population.

 I created #29021 for that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28873#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list