Opened 4 years ago

Closed 4 years ago

#17570 closed defect (worksforme)

HTTP JavaScript running in Medium-High security mode

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: boklm, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This is encrypted because I think it is a serious problem.

I hope I have the right PGP keys for you all, and that you keep them secret keep them safe etc etc!

gpg: encrypted with 3072-bit RSA key, ID D2CA27F3F25B8E5E, created 2004-07-03
      "Nick Mathewson <nickm@alum.mit.edu>"
gpg: encrypted with 4096-bit RSA key, ID 923513C6B0E5067D, created 2015-06-10
      "Roger Dingledine <arma@mit.edu>"
gpg: encrypted with 4096-bit RSA key, ID 479AAAF80761B967, created 2012-09-16
      "Andrea Shepard (Tor Project key) <andrea@torproject.org>"
gpg: encrypted with 4096-bit RSA key, ID DFC2664D1B749632, created 2013-09-21
      "Erinn Clark <erinn@torproject.org>"
gpg: encrypted with 4096-bit RSA key, ID B0D1CB47ACC0A961, created 2015-09-07
      "Mike Perry <mikeperry@endarken.info>"
gpg: encrypted with 4096-bit RSA key, ID 57833E6F631602F4, created 2015-07-20
      "Georg Koppen <gk@torproject.org>"
gpg: encrypted with 4096-bit RSA key, ID 13E41AB155E052D1, created 2015-09-08
      "Isis <isis@torproject.org>"

-----BEGIN PGP MESSAGE-----

hQIMAxPkGrFV4FLRAQ//SwY2nuL+F2FqluJ0e3rS/68hX2XmyYcy+EcR7aPYjGNX
gM6jCwzEpr2ZyW2O8Dq0ZtXtgVZHLIzE0uEinRPwDyVbOX3jyIajlfPKwZ8yxCZF
5laa9wgGJw3PzJc+qPUrlUv0FRbt3CwiQ1puNsNmXMIX5rkUAnWlVr5WfgCI3xU5
ynHd7TUPcwXcJH0k36YXExbLRmT8SrESHYZZxZ0G8+SXYvJYpcqrkirlmYR+8hAw
KfixWlRA2fwbO1yO2q/W1UEfC2xVlU5Mkroh60I0iJPhgPSa3arDOUSSV1fXSveY
9r0g3v7/ltieYBmsUQFGNXRAg5jOu74UiRxNcMBYpQczmYBp6jwpe7R3HzgkWOXC
G1xvvdsIp9xkWGj/C6m7gzmo0tCD98z/ZPG4Rc/rMIL04VBZkaRlB976z9ZvRkzJ
adI5xvXDhxvJGV/BhFHwwpqou3qKkR3niDLST1lJwDwz4e1dFj5VozIBpKzWquhr
O2OxqioIP2KOTDBqLlJiPZNUm4mNOiAqdFTGE7Skl1WTENFTYrQ/qYNZKRQnBGIM
Uk7ObhVjQSyF6PKOk6tJoFwe31Q1B/3VXBnMt9yLN6rf6bBxvSfOn9YfnYIwXQtw
TMeSJIcRBECW8e3IdrXbBmd9KZvK6OWPQtzDhsmKbHxVOJQHKxXK5P595iTf38uF
AgwDV4M+b2MWAvQBD/45mRsa0xkFs8j7XYi7plJtOA86RZtpFXAeVf4EsvN/J+Ti
6rarCT/iZ/kQma7QO96C20zRdaGNCFKCsjKdf5uuTVBpo6ze6ynpf4r800HDA4e8
pKbTxq167zDR6BWcY0FCY3XaeQK82AzKH5MgllIT+wflpyb979p3h+QhioVhMM1c
T/tHxcGeD7h72+ijGoWWpfkg0DRD/XEn2a9C3j3gm2bv5e9XSRGLRrpAVIJKaLXh
cQ/Wo2hiD8JIxWPQC1SnSbrRfUHuUmhvRaZBHnhGaALlSW5x2QqjXflg9yw3dI3P
Nncg1e307wYPfmT0mKll7Y2K3dBr002gIexH8l/BgKQ6LkBTmBRGtyVOejg98h80
15F1Ps/MAcAlPMVQAMIttJHMGCZ6hIPXbjPu9ufNlsSAs6uiKkzWwrtvdUtqPSbL
NdaWzGg/hGhLKsH3SgcE8yzvBLSGrDRrFTMVbWTjnUcYY00dNN9BLsb7fj6CYIR9
bnRCBxUKLv7coB3ZLBK0byfsynUju28fQ2BQhlTbzAs2zmifqVBS1ScNytX0kXwd
QMuVAGpG6PQYmPhGIf1MUmoJ7Ffv1JZADCYLjc7Uhwgvd1mz9Llyl8uQGFIFiGPZ
abDe5itcOy4cIpG7tTzrQHzuSG78THksW0OSkzgGCTjc9xkV9HRegGTbLBVeL4UC
DAOw0ctHrMCpYQEP/R+ELtZSZdYPpXl61nDLLFYqxce4fFv0mySU73wcoJGPNqvU
3xcpusOG45bLTeKNxiUPQ3mbb1fto9Y/1TC4fTjVYuvQTU43mTX/ZQ0JIqJpR1hP
TcSn0UU0gVTuvM1PfseGr7twXPD8y8gQU8oLw5r8CJjCmM3xzzDkC3vpMMTYfquA
nF3EXR4ZJy0jY1DSsfZCOe1znEw8e8555xsmdzkQudxKFMmrhy0MI6mYbX3Nm5KD
0vpCnqZ2G599CzU8dVbd0OScs5oRDZ8JXg9+PkIEq65I1BwGtq+qNs6X78gRdx+6
iqC5ydY9g85ZnlqKrA1M8Nlt7d/HzWIG19LeYtT5mRPZ8zxZmIkWlbldCkgYUfM3
liC9sZ5kKAx1/XibUIHpBPj2vas4i6K3jokkQg6HWcneDe3iaVGHM8BH679pZYSI
IwdxYJDqXhJPBXdB2ITQJFLdStFtCAjiQi1OiNuWnpyVX7jKkMqvGovfjvvIkoE3
5h11QySkKAwAky2YZae4QeEryvk6S8GqMiOrElA98tZF+qH0ZvVe33fD4zGFGEYL
6s7KewzyL0Us8NurWYDdAS+uSyagv501MRmroSYpLHSJG65huRiN6QsmzXmwhdcP
s3toA2BzE3s/7jUpY77MCDf7FpQvEDvji6Qxl0MtqbaFAWuBFJZssStN4Kg3hQIM
A9/CZk0bdJYyAQ//SBOVlk7AQn+wtl0nMoA81rDXGLsACoJOw/UTDdxy5aFAYT5r
HI7g2vkGqCEyP3Y68kGN0Tdp3eEPTnyQd6i0VpcIou55qAGnfl7i1hqYpfHL1eUn
uVToGarTjMuKnpA9Zo1ERWbor4OLRIGMIv+5CFV36aMrb2Sq7M7KiO4ckolXXWH/
Rg5jRYRB4KlKqiLG+51ccGtFmk6jCkhLYVMuqT9ABn7L3aqKJ2GkxHMZFvuekdSZ
DDpHF9mospgK4mRMjZmkL44GXrtEMFiVvBLiLcuWXBEANZKzn1arrTdZLfPs7Kka
rgTFxtKNabnGNrTu4ttNUHDGx65eWUX9QUnIqUAEJO9qOzdDLE8jN/C4HLrlJish
g+z8TIsYjaEdgvMP2/zKiSPr3UzDFQKL0OBKPYgRD9y7/B5tkfC3C3me3n2Bb5Pc
DwVeLTwzy1jWNVjGvfKYMILqI+7hkEjpx8VpyqDJpE2ghyeAJtgMcV87jRO11jTF
szP2MZREJ4FsjVOQyzlzsVyRTo73//g7MYqVirn1oHQtGfacrqZHnqMciG4UY3sA
ILRtog85dHlN74LzRwH9ozRYlbsr0jVfnwCILM7vlIkCeSK/AI79Xy91PqcU5PRw
DoASI+zaMl8r2IACrfy9t16VaGQrxb3Jh4jnC2sU5mE+5o2m3wNuVcGcZRiFAgwD
R5qq+AdhuWcBD/9hHVa1Ln9gJqqGbkYYxcKnOT/U11yyOQz/0abjtybR9T3o8w+t
a6QdTP/GSHeMOELiHG97+vKl3NNqskfQKJXU0btebNmHw0d65XxzFZlUKA8QLLJI
5CyDCRYlTSeMoL1TdyOXtqIHW83nKp59DEQYynp7vWcY9CXoUXk0xRYKyh97l4Vi
yFwWXTbweXCvbKb6JST4xdVFtV9VjFRHhfOBZ6UM0xuaoKpag3QHAR1b6hJ6Z0xD
ivpxhHoPJfjb6z5y4W+4gq2gXOCVnhdUa0OK8qvHb+Ba1KKNGN/Ofmm+0uo+/OmY
axcUSk+qb1Y5oiuZbiMkS1A0AlogrIZFtb84RRq+EPZgI1HbLL4zq9tYfwoVvKqa
Jx0JuGmJZLzruJCwilv2TM40laOgD7VY+cvOAAHQn+Uwz/3An5UChWHyt6LEQrkT
YsY2BN9i06YkfgLW9AZfeKrIUUYHZOF2xCtuz6Fpf1fVcUE5SDoa2TC13OHyYXA/
aP7ENLo4yKyHjGMFeeed5iy3REWh1N1COR+D8/z/OETY8TDEtjbdNQfvEVGSMAdo
Hx0CDhDUQVI9H28Gn+lrPZtNE4x3nbbEbPMqPmyN/24ttghzy96e5NYNDkIliztZ
J/rbdHeOW5rUxnfhzKL7v5eXJZ8N+qmIBJv9jFSo96y66TblczPSdgG3OIUCDAOS
NRPGsOUGfQEQAM246Vila1+y+PI5KkCk5HBrCSWSNq6O7qGAmX5RREpGSfy5XfQx
plXIUDGbC3OvevvMgliLzgfhY1j57Ats1HtlgxiQn64W2mS46cmCaCwPl4WrJ8zQ
WwN+/VfTrGBR7A0BcqYTCE0Z/DWEmm6xlV+byURaUW4lASoc7fwfsGHGemAQS3Ye
9/GoXhddNJBUvGaVE4Q2ABZpWsgkZH+DlQAjpVXdEUw4AN/dPzS21QoEIReTVO4/
z4OUmwt+iPu98GAZAmfq1gJNvNyLhAAI2yOtptBh76xzy032Ri6Nw+XWW1j3HTxV
Ca8sEuCQ+ZKVR+0buKBMF2ri9OSzLwAUiq7w3DWZKCtMtKTr1ltpXVqS2fuMd+rE
/s9QpHI9pSfHZNi5sU7ssxj/k0tq4yhGGgb3jemaKQ3hiQvPJY662ZAz+P0dMyr6
+a9x5syzfRxhwXgGAjsi7Frye3SXjzg/iTbHfEegv6hbohF+sFARbx7THMd1htWZ
5pMtV7IOeFw9J7SzWP1qBQf8fIB8jxSw+b+OlncqsxyYc0eenhfzQvvq18mwKjvT
VztoYILcAaWJpnLP5TuCW9D4jZaQIn97efFqF43R+AMTBFpyFJn+fmXTk00DTepr
CiLurgAiP6lRSHjVPC1RVHzQMEwRArunBr7WO1SRhb/JxZHMcNjb/bQphQGMA9LK
J/PyW45eAQv/Tc0GaBxTpe6ChzvpPfmgMQKGtNilQYStBqR0lMxAoF5xF+gtP1uF
J9AyjmageKCwkH3vJ40B92ZpndaOmpT12LQ3plMMa0IedZaklzoMKWQV+U7aGiVX
499i2ncKESyIrvqywwpZv4S2ucqeYVmc8x0RD9pTM6u2SMumGhNHuPn/qJZzW7yt
UzQYgdAuJaZVLPt0S2CF22wFESDzI2pQdIbuiO9ZQJp/J2G03ODn5oUtzdU7twfD
Koyqzt52d2IpWdkRrsDzUorLxkPcxMzuzAUvofeq6wJGJeYBLq1cmhpCBg9sViL4
TCGc9C2z/v9WbTPvNRS+LGsGgw4b8pl7tfWxd7VPxxBS4evcqu40T8g4TbLQVTrQ
NXEPJBFjMFPayxsOcxRIJBxOF7gDHCi8eHSW0+fRnBxBTZmhEH55mdBH+jiKh7Rr
1BQDy/8S/W97uN7uwcaz3kRNSaSV5DAo0zHR3g16YQIu0Hx/qf9a/yf9HyO1KNzY
qjNJ/yXbQq0U0ukBMmAfHiVQHPbITpWH5DbKCQtQoZWohhYEqeJGRZzn8eNTjvov
lKiGB6uz2vy6J+5qq3GQYLdIdZOMi7mdC5iNUBKrq86dr4fWxR6RfBC/nlL6VqZV
iv64Mn82gt6ITkSYE9+yoF4YgAUeCdhfZIoXtcQnQC4d8VVQOiSB+DeIXWUVC5IG
shWkrdg65EVnBf+c4/SxheFyE2olls79HlJHafxJNw+Uv/ze/utH79LMsF/eRz3m
LSoS4ke487t9p/SyXHRlwodjotgx1hx1dBq8cFx0pYufQQcxTxfeDBIPTW5RufTH
qp0hf3Ivr5yPo4pj2rfR7wkEJb4Osjg4cTxvh85vtKYxj6VZCV3h8t1dBDu9UtX1
FViM/BVAYHH5yg1IJ/CGX2V76LX4bv8jhZkwc7MUjaF+Xs1LkOGm7P7ANFlBDdU+
WVsOkWIoGo+zCnRnbSzKJc3wcLLA1+h7ebOC4QXMSme61on8V12dbYF0gS/nUHs6
g6nzmuR+2nFqKMEO0nN4X5yGbeORFgbSY/gqtcNgrgDXuV4OMc3jqyRHrAp2fJ8J
ze4nxqOlTdLIT/cUU/kF44n35UmRKjV/TiDjTAnLIpuCbSQsZ3BPeo1SHVHIPUfW
k3/wOE00Sfn+Dnctq6VeJwOqoO6OEpUczwU5zeIQwLqX1VH01R61bomGRsD/LLz/
zFcuzm8FIrqThpSFx+KqJyRu9hWpQ/hawi9V1MYOtSNV/gP517/fxgui7GYxD3Ru
zMvxkhDjd5f6cDOW7ksaXhX2m8IZTWEnsxamIrxZNcGcrRPMa6lQ3IIf7WL8VhYO
qjEnzwXd2VlUtgfU3wN+afeFifHf6/J1z5LDv69mtVooI6Xbd7MVThAz/Pio3YNZ
l6r0u5q7cQDL2yzDRyyRFbAsAVdeHzcr/5FB5zkWD63XLAjKnqCw2Za/6UqJtCsL
EFi5U1IBleCK3Hk7kNypCGotJCezZqP8inls/lFKiyi3OraaPdy9OtUIjaCOD0/l
SMwaORozqHSA3MTFoJfpUaJ5ylMhVdqXYI31THbquvDh0iGwAgsn2SwOR4WXeiL9
rjAQrRSZ55+5NnKRYIX8WiikWENHdGOYxm0qHVblqmwUigrymfn4ohocpy64vm63
H8sAsJB/x08LUHMTyBSFslp7g0kIvJSRNE601kXQ7WzoSGUir/9kmECdflSfKHpV
We3Ay1IQKS6nd8TP7DUWsW+EwdfDOirJBjPtl9c+slloorTf3CZwAPN1H5zJWnB/
4m+imh5vuRIzkfjb
=clNe
-----END PGP MESSAGE-----

Child Tickets

Change History (3)

comment:1 Changed 4 years ago by mikeperry

Cc: boklm gk added

Both GeKo and I tried to reproduce this by loading the test site at Medium-High. According to the built in Firefox Network Monitor and Javascript debugger (Vent->Developer->Network and Vent->Developer->Debugger), no scripts are loading on the http page. Once you click the link to the https page, scripts do load, but you're then on an https page, so they should be loading there.

Perhaps you were confused by the fact that allowing the cert for this site allows the CSS, which makes it slightly more dynamic in http? That confused me at first too.

If you can provide a more clear way to show that scripts are actually running in the http site, please give us another test case or instructions. Also, please additionally encrypt to boklm, who is the engineer responsible for the regression tests that we use to verify this security property (see #13053). Here's his key info:

pub   4096R/2067001B1B678A63 2011-08-04
      Key fingerprint = C9B8 CAC3 318B 9A9E 4883  5961 2067 001B 1B67 8A63
uid                          Nicolas Vigier (boklm) <boklm@mars-attacks.org>
uid                          Nicolas Vigier (boklm) <boklm@torproject.org>

comment:2 Changed 4 years ago by cypherpunks

i thought i was actually editing a pad over HTTP but now I can't seem to reproduce that. sorry!

comment:3 Changed 4 years ago by gk

Resolution: worksforme
Status: newclosed

Alright, no worries. Closing this as WORKSFORME for now. If there is indeed more to it, please reopen this ticket.

Note: See TracTickets for help on using tickets.