Opened 9 years ago

Closed 9 years ago

#1811 closed enhancement (invalid)

Should Torbutton toggle javascript.enabled in Firefox per documentation?

Reported by: joebt Owned by: mikeperry
Priority: Medium Milestone:
Component: Applications/Torbutton Version: Torbutton: 1.2.5
Severity: Keywords: Torbutton, javascript, enabled, toggle
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Previous bugs stating Torbutton no longer toggling "Javascript Enabled" in Firefox (mainly after v3.5 or 3.6) have been answered that it isn't a bug (see # 979 below). Previous Torbutton versions did toggle “Enable Javascript” in Firefox Options > Content. Now, apparently not in later versions?

Current documentation seems to indicate it should be toggling the Firefox preference “javascript.enabled.” If correct, it would toggle the box in Options / Content.

Question is, should it be toggling “javascript.enabled” and thus toggling the Content check box, or does the documentation need updating or clarification? Also, Tor Project site gives current links to Tor Detector site http://torcheck.xenobite.eu/. With Tor, Polipo & Torbutton enabled, the site warns “JAVASCRIPT ENABLED” as security / anonymity risk.

If Torbutton no longer toggles “Enable Javascript” in Firefox, (instead “makes javascript safe for anonymity...”), is this still a valid parameter for torcheck.xenobite.eu/ to check & report as a security risk? Maybe check site needs updating or Tor Project needs to link to different sites? Also FAQs & documentation may need revising to inform average users of expected behavior.

Ticket 979: Torbutton not disabling javascript.

Response:

flyspray2trac: bug closed.
This is a feature. Torbutton makes javascript safe for anonymity purposes. If you fear javascript exploits, use quickjava or noscript to disable it.

From current (8-7-10) online Torbutton Design doc at:

http://www.torproject.org/torbutton/design/

From section:

  1. Relevant Firefox Bugs

6.1. Bugs impacting security

  1. Bug 409737 - javascript.enabled and docShell.allowJavascript do not disable all event handlers

From same doc, section 7:

7.3. Active testing (aka How to Hack Torbutton)

"Other ways to cause Javascript to be executed after javascript.enabled has been toggled off."

If it should be toggling javascript.enabled, it hasn't done it for me for several versions of Torbutton and Firefox 3.6 – 3.6.8.

Reproducible: always

Windows Vista x64 SP 2

Clean install of Firefox 3.6.8, new profile, no addons.

Torbutton 1.25, Tor 0.2.1.26 w/ Polipo installed, all running.

Tor checksite always reports “Javascript Enabled” as security risk.

With Torbutton 1.25 (& prior versions) enabled, about:config shows javascript.enabled value = true. (contradicts sect. 7.3 Active Testing)

Child Tickets

Change History (1)

comment:1 Changed 9 years ago by mikeperry

Resolution: invalid
Status: newclosed

You are misreading the documentation. It is referring to specific Firefox bugs, and suggesting methods of testing torbutton, not torbutton operation.

Torbutton does not globally disable javascript, it only does so on tabs that have been loaded in a Tor state different than your current Tor state.

Note: See TracTickets for help on using tickets.