[tor-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 6 18:15:27 UTC 2019
#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: task | Status:
| needs_review
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Resolution:
Keywords: AffectsTails, TorBrowserTeam201905R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by torlove):
So glad that I still have old Orfox installed right now. NoScript still
works in Orfox, it must've been "baked in", yes?
Cypherpunks, yes. I considered simply disabling JS but the other things
NoScript does, including protecting against XSS made me rethink that.
Fingerprinting included.
Yes, can somone please do a commit to show a warning about
xpinstall.signatures.required set to false on startup?
(SOLUTION THAT WON'T WORK: I did some research at Mozilla, mostly to
determine the scale of the problem. Its pretty bad. Especially for users
who depend on password management addons. One (bad?) idea someone
suggested was to turn the clock back. I'm quite certain that this is not
an option for Tor users for good reason, Tor complains about an out of
sync clock at startup and will not even connect to the Tor network, let
along a website. Also SSL requires clocks to be relatively in-sync, if my
understanding/memory is correct.)
Once the commit is made please tell us to allay concerns about future
security.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:49>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list