Opened 3 years ago

Closed 4 months ago

#19907 closed defect (fixed)

NoScript could not be verified and gets disabled after restart

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, noscript
Cc: mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We have at least two bug reports about NoScript getting disabled (presumably after an extension update happened) because it could not get verified. It might be related to #19491 but that is not known.

Child Tickets

Attachments (1)

no_script_10.2.4_disabled.png (29.7 KB) - added by gapegas7uftp 4 months ago.
image of noscript could not be verified for use with tor browser and has been disabled

Download all attachments as: .zip

Change History (15)

comment:1 Changed 3 years ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

Thanks to a user on IRC (femme) we did try to debug this a bit but enabling extensions.logging.enabled does not shine any light on this issue. I wonder if anybody could come up with a good idea to debug this. Maybe we should ship with extra debugging code for this case until we tracked the thing down?

I also wonder whether Mozilla has heard from this and has any ideas given that we do not change any code with respect to NoScript's signing state..

comment:2 Changed 3 years ago by gk

The extension is fine it is just that the signature verification fails in rare cases for some reason and NoScript is then stuck in the "disabled" bucket.

comment:3 Changed 3 years ago by gk

Maybe we could trigger a signature re-check at every start somehow?

comment:4 in reply to:  2 Changed 3 years ago by mcs

Replying to gk:

The extension is fine it is just that the signature verification fails in rare cases for some reason and NoScript is then stuck in the "disabled" bucket.

Is this affecting other extensions (e.g., for Firefox users)? It seems like even a rare "false failure" will cause a lot of problems.

comment:5 Changed 3 years ago by bugzilla

As you pay much attention to this issue (dunno why), here are some thoughts on the topic:
What really should be done is a warning about that some component has failed to initialize.
As reports about NoScript started to appear more often, last updates of NoScript could be the reason. The scenario is: user starts TBB and NoScript prepares to update, say .13 to .14; then TBB finds its new version and prepares to update; user restarts TBB and Check Add-on for Compatibility is invoked by NoScript update, but there is no Tor connection ready to check the signature (plus some bugs with early network connections might exist), so initialization fails. (The same is for HTTPSE) Firefox users are not affected, because of existed connection or no bugs with handling of it.

comment:6 Changed 2 years ago by linda

Keywords: tbb-usability removed

Thanks for marking this with usability keyword. The UX team triaged the ticket and realize that the fix does not require our assistance, so we are removing the keyword as part of our triage.

comment:7 Changed 12 months ago by traumschule

Keywords: noscript added
Status: newneeds_information

It's not mentioned above but according to the TB's Changelog very old versions (6.5 and earlier) were affected and it did not happen since (at least it wasn't reported here).
Does it happen regularly or can we close this and reopen if it happens again?

(i found here reading security issue and it doesn't seem to have very high priority anymore)

Changed 4 months ago by gapegas7uftp

image of noscript could not be verified for use with tor browser and has been disabled

comment:8 Changed 4 months ago by gapegas7uftp

Just got this with a new install of TB linux64-8.0.8_en-US.

This is the first time I have seen this.

Attached a pic (no_script_10.2.4_disabled.png)

comment:9 Changed 4 months ago by gapegas7uftp

There is a workaround in ticket:30388 to disable xpinstall.signatures.required in about:config

Probably a signature certificate expired.

comment:10 Changed 4 months ago by cypherpunks

The original issue that this ticket was opened for 3 years ago may have been triggered by https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 which also happened 3 years ago.

comment:11 Changed 4 months ago by atagar

Resolution: duplicate
Status: needs_informationclosed

Closing as a duplicate of #30388

comment:12 Changed 4 months ago by Crissy2

I also have this problem now. I reinstalled three times the tor browser. I also tried install 8.0.7. How to do, to force NoScript to activate and stay active?

Why I see "Explore Privately" if NoScript doesn't work???

Is there any workaround to force enable NoScript?

comment:13 in reply to:  10 Changed 4 months ago by gk

Resolution: duplicate
Status: closedreopened

Replying to cypherpunks:

The original issue that this ticket was opened for 3 years ago may have been triggered by https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 which also happened 3 years ago.

Nice find. That could be it. Let's mark this ticket as fixed then.

comment:14 Changed 4 months ago by gk

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.