Opened 4 years ago
Closed 4 years ago
#17570 closed defect (worksforme)
HTTP JavaScript running in Medium-High security mode
Reported by: | cypherpunks | Owned by: | tbb-team |
---|---|---|---|
Priority: | Medium | Milestone: | |
Component: | Applications/Tor Browser | Version: | |
Severity: | Major | Keywords: | |
Cc: | boklm, gk | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description
This is encrypted because I think it is a serious problem.
I hope I have the right PGP keys for you all, and that you keep them secret keep them safe etc etc!
gpg: encrypted with 3072-bit RSA key, ID D2CA27F3F25B8E5E, created 2004-07-03 "Nick Mathewson <nickm@alum.mit.edu>" gpg: encrypted with 4096-bit RSA key, ID 923513C6B0E5067D, created 2015-06-10 "Roger Dingledine <arma@mit.edu>" gpg: encrypted with 4096-bit RSA key, ID 479AAAF80761B967, created 2012-09-16 "Andrea Shepard (Tor Project key) <andrea@torproject.org>" gpg: encrypted with 4096-bit RSA key, ID DFC2664D1B749632, created 2013-09-21 "Erinn Clark <erinn@torproject.org>" gpg: encrypted with 4096-bit RSA key, ID B0D1CB47ACC0A961, created 2015-09-07 "Mike Perry <mikeperry@endarken.info>" gpg: encrypted with 4096-bit RSA key, ID 57833E6F631602F4, created 2015-07-20 "Georg Koppen <gk@torproject.org>" gpg: encrypted with 4096-bit RSA key, ID 13E41AB155E052D1, created 2015-09-08 "Isis <isis@torproject.org>" -----BEGIN PGP MESSAGE----- hQIMAxPkGrFV4FLRAQ//SwY2nuL+F2FqluJ0e3rS/68hX2XmyYcy+EcR7aPYjGNX gM6jCwzEpr2ZyW2O8Dq0ZtXtgVZHLIzE0uEinRPwDyVbOX3jyIajlfPKwZ8yxCZF 5laa9wgGJw3PzJc+qPUrlUv0FRbt3CwiQ1puNsNmXMIX5rkUAnWlVr5WfgCI3xU5 ynHd7TUPcwXcJH0k36YXExbLRmT8SrESHYZZxZ0G8+SXYvJYpcqrkirlmYR+8hAw KfixWlRA2fwbO1yO2q/W1UEfC2xVlU5Mkroh60I0iJPhgPSa3arDOUSSV1fXSveY 9r0g3v7/ltieYBmsUQFGNXRAg5jOu74UiRxNcMBYpQczmYBp6jwpe7R3HzgkWOXC G1xvvdsIp9xkWGj/C6m7gzmo0tCD98z/ZPG4Rc/rMIL04VBZkaRlB976z9ZvRkzJ adI5xvXDhxvJGV/BhFHwwpqou3qKkR3niDLST1lJwDwz4e1dFj5VozIBpKzWquhr O2OxqioIP2KOTDBqLlJiPZNUm4mNOiAqdFTGE7Skl1WTENFTYrQ/qYNZKRQnBGIM Uk7ObhVjQSyF6PKOk6tJoFwe31Q1B/3VXBnMt9yLN6rf6bBxvSfOn9YfnYIwXQtw TMeSJIcRBECW8e3IdrXbBmd9KZvK6OWPQtzDhsmKbHxVOJQHKxXK5P595iTf38uF AgwDV4M+b2MWAvQBD/45mRsa0xkFs8j7XYi7plJtOA86RZtpFXAeVf4EsvN/J+Ti 6rarCT/iZ/kQma7QO96C20zRdaGNCFKCsjKdf5uuTVBpo6ze6ynpf4r800HDA4e8 pKbTxq167zDR6BWcY0FCY3XaeQK82AzKH5MgllIT+wflpyb979p3h+QhioVhMM1c T/tHxcGeD7h72+ijGoWWpfkg0DRD/XEn2a9C3j3gm2bv5e9XSRGLRrpAVIJKaLXh cQ/Wo2hiD8JIxWPQC1SnSbrRfUHuUmhvRaZBHnhGaALlSW5x2QqjXflg9yw3dI3P Nncg1e307wYPfmT0mKll7Y2K3dBr002gIexH8l/BgKQ6LkBTmBRGtyVOejg98h80 15F1Ps/MAcAlPMVQAMIttJHMGCZ6hIPXbjPu9ufNlsSAs6uiKkzWwrtvdUtqPSbL NdaWzGg/hGhLKsH3SgcE8yzvBLSGrDRrFTMVbWTjnUcYY00dNN9BLsb7fj6CYIR9 bnRCBxUKLv7coB3ZLBK0byfsynUju28fQ2BQhlTbzAs2zmifqVBS1ScNytX0kXwd QMuVAGpG6PQYmPhGIf1MUmoJ7Ffv1JZADCYLjc7Uhwgvd1mz9Llyl8uQGFIFiGPZ abDe5itcOy4cIpG7tTzrQHzuSG78THksW0OSkzgGCTjc9xkV9HRegGTbLBVeL4UC DAOw0ctHrMCpYQEP/R+ELtZSZdYPpXl61nDLLFYqxce4fFv0mySU73wcoJGPNqvU 3xcpusOG45bLTeKNxiUPQ3mbb1fto9Y/1TC4fTjVYuvQTU43mTX/ZQ0JIqJpR1hP TcSn0UU0gVTuvM1PfseGr7twXPD8y8gQU8oLw5r8CJjCmM3xzzDkC3vpMMTYfquA nF3EXR4ZJy0jY1DSsfZCOe1znEw8e8555xsmdzkQudxKFMmrhy0MI6mYbX3Nm5KD 0vpCnqZ2G599CzU8dVbd0OScs5oRDZ8JXg9+PkIEq65I1BwGtq+qNs6X78gRdx+6 iqC5ydY9g85ZnlqKrA1M8Nlt7d/HzWIG19LeYtT5mRPZ8zxZmIkWlbldCkgYUfM3 liC9sZ5kKAx1/XibUIHpBPj2vas4i6K3jokkQg6HWcneDe3iaVGHM8BH679pZYSI IwdxYJDqXhJPBXdB2ITQJFLdStFtCAjiQi1OiNuWnpyVX7jKkMqvGovfjvvIkoE3 5h11QySkKAwAky2YZae4QeEryvk6S8GqMiOrElA98tZF+qH0ZvVe33fD4zGFGEYL 6s7KewzyL0Us8NurWYDdAS+uSyagv501MRmroSYpLHSJG65huRiN6QsmzXmwhdcP s3toA2BzE3s/7jUpY77MCDf7FpQvEDvji6Qxl0MtqbaFAWuBFJZssStN4Kg3hQIM A9/CZk0bdJYyAQ//SBOVlk7AQn+wtl0nMoA81rDXGLsACoJOw/UTDdxy5aFAYT5r HI7g2vkGqCEyP3Y68kGN0Tdp3eEPTnyQd6i0VpcIou55qAGnfl7i1hqYpfHL1eUn uVToGarTjMuKnpA9Zo1ERWbor4OLRIGMIv+5CFV36aMrb2Sq7M7KiO4ckolXXWH/ Rg5jRYRB4KlKqiLG+51ccGtFmk6jCkhLYVMuqT9ABn7L3aqKJ2GkxHMZFvuekdSZ DDpHF9mospgK4mRMjZmkL44GXrtEMFiVvBLiLcuWXBEANZKzn1arrTdZLfPs7Kka rgTFxtKNabnGNrTu4ttNUHDGx65eWUX9QUnIqUAEJO9qOzdDLE8jN/C4HLrlJish g+z8TIsYjaEdgvMP2/zKiSPr3UzDFQKL0OBKPYgRD9y7/B5tkfC3C3me3n2Bb5Pc DwVeLTwzy1jWNVjGvfKYMILqI+7hkEjpx8VpyqDJpE2ghyeAJtgMcV87jRO11jTF szP2MZREJ4FsjVOQyzlzsVyRTo73//g7MYqVirn1oHQtGfacrqZHnqMciG4UY3sA ILRtog85dHlN74LzRwH9ozRYlbsr0jVfnwCILM7vlIkCeSK/AI79Xy91PqcU5PRw DoASI+zaMl8r2IACrfy9t16VaGQrxb3Jh4jnC2sU5mE+5o2m3wNuVcGcZRiFAgwD R5qq+AdhuWcBD/9hHVa1Ln9gJqqGbkYYxcKnOT/U11yyOQz/0abjtybR9T3o8w+t a6QdTP/GSHeMOELiHG97+vKl3NNqskfQKJXU0btebNmHw0d65XxzFZlUKA8QLLJI 5CyDCRYlTSeMoL1TdyOXtqIHW83nKp59DEQYynp7vWcY9CXoUXk0xRYKyh97l4Vi yFwWXTbweXCvbKb6JST4xdVFtV9VjFRHhfOBZ6UM0xuaoKpag3QHAR1b6hJ6Z0xD ivpxhHoPJfjb6z5y4W+4gq2gXOCVnhdUa0OK8qvHb+Ba1KKNGN/Ofmm+0uo+/OmY axcUSk+qb1Y5oiuZbiMkS1A0AlogrIZFtb84RRq+EPZgI1HbLL4zq9tYfwoVvKqa Jx0JuGmJZLzruJCwilv2TM40laOgD7VY+cvOAAHQn+Uwz/3An5UChWHyt6LEQrkT YsY2BN9i06YkfgLW9AZfeKrIUUYHZOF2xCtuz6Fpf1fVcUE5SDoa2TC13OHyYXA/ aP7ENLo4yKyHjGMFeeed5iy3REWh1N1COR+D8/z/OETY8TDEtjbdNQfvEVGSMAdo Hx0CDhDUQVI9H28Gn+lrPZtNE4x3nbbEbPMqPmyN/24ttghzy96e5NYNDkIliztZ J/rbdHeOW5rUxnfhzKL7v5eXJZ8N+qmIBJv9jFSo96y66TblczPSdgG3OIUCDAOS NRPGsOUGfQEQAM246Vila1+y+PI5KkCk5HBrCSWSNq6O7qGAmX5RREpGSfy5XfQx plXIUDGbC3OvevvMgliLzgfhY1j57Ats1HtlgxiQn64W2mS46cmCaCwPl4WrJ8zQ WwN+/VfTrGBR7A0BcqYTCE0Z/DWEmm6xlV+byURaUW4lASoc7fwfsGHGemAQS3Ye 9/GoXhddNJBUvGaVE4Q2ABZpWsgkZH+DlQAjpVXdEUw4AN/dPzS21QoEIReTVO4/ z4OUmwt+iPu98GAZAmfq1gJNvNyLhAAI2yOtptBh76xzy032Ri6Nw+XWW1j3HTxV Ca8sEuCQ+ZKVR+0buKBMF2ri9OSzLwAUiq7w3DWZKCtMtKTr1ltpXVqS2fuMd+rE /s9QpHI9pSfHZNi5sU7ssxj/k0tq4yhGGgb3jemaKQ3hiQvPJY662ZAz+P0dMyr6 +a9x5syzfRxhwXgGAjsi7Frye3SXjzg/iTbHfEegv6hbohF+sFARbx7THMd1htWZ 5pMtV7IOeFw9J7SzWP1qBQf8fIB8jxSw+b+OlncqsxyYc0eenhfzQvvq18mwKjvT VztoYILcAaWJpnLP5TuCW9D4jZaQIn97efFqF43R+AMTBFpyFJn+fmXTk00DTepr CiLurgAiP6lRSHjVPC1RVHzQMEwRArunBr7WO1SRhb/JxZHMcNjb/bQphQGMA9LK J/PyW45eAQv/Tc0GaBxTpe6ChzvpPfmgMQKGtNilQYStBqR0lMxAoF5xF+gtP1uF J9AyjmageKCwkH3vJ40B92ZpndaOmpT12LQ3plMMa0IedZaklzoMKWQV+U7aGiVX 499i2ncKESyIrvqywwpZv4S2ucqeYVmc8x0RD9pTM6u2SMumGhNHuPn/qJZzW7yt UzQYgdAuJaZVLPt0S2CF22wFESDzI2pQdIbuiO9ZQJp/J2G03ODn5oUtzdU7twfD Koyqzt52d2IpWdkRrsDzUorLxkPcxMzuzAUvofeq6wJGJeYBLq1cmhpCBg9sViL4 TCGc9C2z/v9WbTPvNRS+LGsGgw4b8pl7tfWxd7VPxxBS4evcqu40T8g4TbLQVTrQ NXEPJBFjMFPayxsOcxRIJBxOF7gDHCi8eHSW0+fRnBxBTZmhEH55mdBH+jiKh7Rr 1BQDy/8S/W97uN7uwcaz3kRNSaSV5DAo0zHR3g16YQIu0Hx/qf9a/yf9HyO1KNzY qjNJ/yXbQq0U0ukBMmAfHiVQHPbITpWH5DbKCQtQoZWohhYEqeJGRZzn8eNTjvov lKiGB6uz2vy6J+5qq3GQYLdIdZOMi7mdC5iNUBKrq86dr4fWxR6RfBC/nlL6VqZV iv64Mn82gt6ITkSYE9+yoF4YgAUeCdhfZIoXtcQnQC4d8VVQOiSB+DeIXWUVC5IG shWkrdg65EVnBf+c4/SxheFyE2olls79HlJHafxJNw+Uv/ze/utH79LMsF/eRz3m LSoS4ke487t9p/SyXHRlwodjotgx1hx1dBq8cFx0pYufQQcxTxfeDBIPTW5RufTH qp0hf3Ivr5yPo4pj2rfR7wkEJb4Osjg4cTxvh85vtKYxj6VZCV3h8t1dBDu9UtX1 FViM/BVAYHH5yg1IJ/CGX2V76LX4bv8jhZkwc7MUjaF+Xs1LkOGm7P7ANFlBDdU+ WVsOkWIoGo+zCnRnbSzKJc3wcLLA1+h7ebOC4QXMSme61on8V12dbYF0gS/nUHs6 g6nzmuR+2nFqKMEO0nN4X5yGbeORFgbSY/gqtcNgrgDXuV4OMc3jqyRHrAp2fJ8J ze4nxqOlTdLIT/cUU/kF44n35UmRKjV/TiDjTAnLIpuCbSQsZ3BPeo1SHVHIPUfW k3/wOE00Sfn+Dnctq6VeJwOqoO6OEpUczwU5zeIQwLqX1VH01R61bomGRsD/LLz/ zFcuzm8FIrqThpSFx+KqJyRu9hWpQ/hawi9V1MYOtSNV/gP517/fxgui7GYxD3Ru zMvxkhDjd5f6cDOW7ksaXhX2m8IZTWEnsxamIrxZNcGcrRPMa6lQ3IIf7WL8VhYO qjEnzwXd2VlUtgfU3wN+afeFifHf6/J1z5LDv69mtVooI6Xbd7MVThAz/Pio3YNZ l6r0u5q7cQDL2yzDRyyRFbAsAVdeHzcr/5FB5zkWD63XLAjKnqCw2Za/6UqJtCsL EFi5U1IBleCK3Hk7kNypCGotJCezZqP8inls/lFKiyi3OraaPdy9OtUIjaCOD0/l SMwaORozqHSA3MTFoJfpUaJ5ylMhVdqXYI31THbquvDh0iGwAgsn2SwOR4WXeiL9 rjAQrRSZ55+5NnKRYIX8WiikWENHdGOYxm0qHVblqmwUigrymfn4ohocpy64vm63 H8sAsJB/x08LUHMTyBSFslp7g0kIvJSRNE601kXQ7WzoSGUir/9kmECdflSfKHpV We3Ay1IQKS6nd8TP7DUWsW+EwdfDOirJBjPtl9c+slloorTf3CZwAPN1H5zJWnB/ 4m+imh5vuRIzkfjb =clNe -----END PGP MESSAGE-----
Child Tickets
Change History (3)
comment:1 Changed 4 years ago by
Cc: | boklm gk added |
---|
comment:2 Changed 4 years ago by
i thought i was actually editing a pad over HTTP but now I can't seem to reproduce that. sorry!
comment:3 Changed 4 years ago by
Resolution: | → worksforme |
---|---|
Status: | new → closed |
Alright, no worries. Closing this as WORKSFORME for now. If there is indeed more to it, please reopen this ticket.
Note: See
TracTickets for help on using
tickets.
Both GeKo and I tried to reproduce this by loading the test site at Medium-High. According to the built in Firefox Network Monitor and Javascript debugger (Vent->Developer->Network and Vent->Developer->Debugger), no scripts are loading on the http page. Once you click the link to the https page, scripts do load, but you're then on an https page, so they should be loading there.
Perhaps you were confused by the fact that allowing the cert for this site allows the CSS, which makes it slightly more dynamic in http? That confused me at first too.
If you can provide a more clear way to show that scripts are actually running in the http site, please give us another test case or instructions. Also, please additionally encrypt to boklm, who is the engineer responsible for the regression tests that we use to verify this security property (see #13053). Here's his key info: