Opened 2 years ago

Last modified 4 months ago

#19907 needs_information defect

NoScript could not be verified and gets disabled after restart

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, noscript
Cc: mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We have at least two bug reports about NoScript getting disabled (presumably after an extension update happened) because it could not get verified. It might be related to #19491 but that is not known.

Child Tickets

Change History (7)

comment:1 Changed 2 years ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

Thanks to a user on IRC (femme) we did try to debug this a bit but enabling extensions.logging.enabled does not shine any light on this issue. I wonder if anybody could come up with a good idea to debug this. Maybe we should ship with extra debugging code for this case until we tracked the thing down?

I also wonder whether Mozilla has heard from this and has any ideas given that we do not change any code with respect to NoScript's signing state..

comment:2 Changed 2 years ago by gk

The extension is fine it is just that the signature verification fails in rare cases for some reason and NoScript is then stuck in the "disabled" bucket.

comment:3 Changed 2 years ago by gk

Maybe we could trigger a signature re-check at every start somehow?

comment:4 in reply to:  2 Changed 2 years ago by mcs

Replying to gk:

The extension is fine it is just that the signature verification fails in rare cases for some reason and NoScript is then stuck in the "disabled" bucket.

Is this affecting other extensions (e.g., for Firefox users)? It seems like even a rare "false failure" will cause a lot of problems.

comment:5 Changed 2 years ago by bugzilla

As you pay much attention to this issue (dunno why), here are some thoughts on the topic:
What really should be done is a warning about that some component has failed to initialize.
As reports about NoScript started to appear more often, last updates of NoScript could be the reason. The scenario is: user starts TBB and NoScript prepares to update, say .13 to .14; then TBB finds its new version and prepares to update; user restarts TBB and Check Add-on for Compatibility is invoked by NoScript update, but there is no Tor connection ready to check the signature (plus some bugs with early network connections might exist), so initialization fails. (The same is for HTTPSE) Firefox users are not affected, because of existed connection or no bugs with handling of it.

comment:6 Changed 20 months ago by linda

Keywords: tbb-usability removed

Thanks for marking this with usability keyword. The UX team triaged the ticket and realize that the fix does not require our assistance, so we are removing the keyword as part of our triage.

comment:7 Changed 4 months ago by traumschule

Keywords: noscript added
Status: newneeds_information

It's not mentioned above but according to the TB's Changelog very old versions (6.5 and earlier) were affected and it did not happen since (at least it wasn't reported here).
Does it happen regularly or can we close this and reopen if it happens again?

(i found here reading security issue and it doesn't seem to have very high priority anymore)

Note: See TracTickets for help on using tickets.