Opened 4 years ago

Last modified 22 months ago

#15514 assigned defect

Trim the NoScript whitelist

Reported by: mikeperry Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, noscript
Cc: fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The NoScript whitelist currently allows blob: URLs, all about: URLs, and chrome: URLs.

We definitely want to remove blob: URLs, because of #15502. We also don't appear to need chrome: URLs, and Giorgio recommends we remove the blanket allow on about: URLs in favor of a the list of specific about urls we know we need.

We do need resource: urls for pdf.js though. For some reason, the cascading permissions does not properly allow them in pdf.js when you click "Temporarily allow all this page".

Unfortunately, updating this list is not easy. We need to push an update in extension-overrides.js to set 'noscript.mandatory' and 'noscript.default', but that will not affect 'capability.policy.maonoscript.sites' for people who upgrade. Hence we need to add one-time code to Torbutton that removes the extra schemes from 'capability.policy.maonoscript.sites' and sets a pref so it doesn't do it again.

Child Tickets

Change History (10)

comment:1 Changed 4 years ago by mikeperry

Owner: changed from tbb-team to mikeperry
Status: newassigned

comment:2 Changed 4 years ago by mikeperry

Keywords: ff38-esr added; TorBrowserTeam201504 tbb-4.5-alpha removed

I am not going to mess with this until we decide how we actually want to handle blob and mediasource. Probably in the ff38 timeframe.

comment:3 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a3-essential added

Tag the set of things we should aim to understand/fix for the fist FF38-based TBB (5.0a3, on June 30th).

comment:4 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201506 MikePerry201506 added

comment:5 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a-highrisk added; tbb-5.0a3-essential removed

comment:6 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201507 added; TorBrowserTeam201506 removed

Move over remaining June items to July

comment:7 Changed 4 years ago by mikeperry

Keywords: MikePerry201507 added; MikePerry201506 removed

Move my tickets over for July

comment:8 Changed 4 years ago by mikeperry

Keywords: tbb-security added; ff38-esr tbb-5.0a-highrisk TorBrowserTeam201507 MikePerry201507 removed

I want to keep an eye on this, but as of yet trimming our whitelist does not appear to have any actual impact on NoScript's behavior. Taking it off the radar for now.

comment:9 Changed 3 years ago by bugzilla

Keywords: noscript added
Owner: changed from mikeperry to tbb-team
Severity: Normal

Only Giorgio can explain how to use it right.

comment:10 Changed 22 months ago by tokotoko

Cc: fdsfgs@… added
Note: See TracTickets for help on using tickets.