Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#20366 closed defect (invalid)

NoScript allows all 3rd party scripts when base domain is blocked

Reported by: joebt Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: NoScript, Cascade, 3rd party
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

An odd behavior if "Cascade top document's permissions to 3rd party scripts" is enabled in Advanced > Trusted tab.

  • With this enabled, even when the base domain - top document - is intentionally blocked, NoScript still allows all 3rd party scripts. I think this is incorrect behavior and not what users expect, when base domains are still blocked.

Then it lists the 3rd party sites under NS menu "Untrusted" group - but not marked untrusted. Normally, when 3rd party sites are allowed, they're listed in main menu  (where users can see them), with the option to Forbid individual sites.

At best, it makes no sense to load 3rd party scripts - or show them as loaded, when the base domain is blocked.
It's also confusing and misleading, based on NoScript's verbiage on this option's page. It seems a waste of time, bandwidth to load 3rd party scripts if they're not going to be used. At worst, a 3rd party developer learns to exploit 3rd party scripts being loaded when base domains are blocked.

  • The description in Trusted tab is, "Additional permissions for trusted sites."

Keyword being "Trusted." Blocking the base domain implies it is not trusted.

  • The option is called, "Cascade top document's permissions...." If the top document's permission status is blocked, then it's doing the opposite of its current permissions. Only load 3rd party scripts if a base domain is allowed.

Tor Project opted to override NoScript?allowing some 3rd parties by default, via the extension-overrides.js file; e.g., google.dom gstatic.dom ajax.googleapis.dom, etc. But the Cascade option allows all 3rd party scripts when users have chosen not to allow scripts on the current page.

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by gk

Component: ApplicationsApplications/Tor Browser
Resolution: invalid
Status: newclosed

Seems to be a NoScript bug (if at all). Could you bring that to Giorgio's attention?

comment:2 Changed 3 years ago by joebt

I didn't discuss it directly with Giorgio, but NoScript forum's long time main moderator, barbaz, claimed this feature "Cascade top document's permissions...." was introduced at Tor devs' request.

I haven't confirmed that. If true, one question is, was this behavior under a specific condition what Tor Project wanted or even considered? Whether if a base domain is blocked, all 3rd party sites should be shown as allowed or blocked.

When base domain is blocked, not sure if allowed 3rd party sites / scripts would ever under any circumstance be able to execute under NS or TBB. Key phrase is "ever under any circumstance," vs. "probably won't."

Barbaz gave no real explanation - why or when the described behavior would be desirable or expected by most users.

Even if 3rd party scripts could never execute when a base domain is blocked, showing them as "allowed" is probably disconcerting and not what users prefer to see. Far less significant GUI quirks than this have been fixed.

If enabling some TBB / Tor Button option made it incorrectly show "You are NOT connected to Tor network," most users wouldn't want to ignore that as just a quirk.

comment:3 in reply to:  2 Changed 3 years ago by gk

Replying to joebt:

I didn't discuss it directly with Giorgio, but NoScript forum's long time main moderator, barbaz, claimed this feature "Cascade top document's permissions...." was introduced at Tor devs' request.

Yes, that is true.

I haven't confirmed that. If true, one question is, was this behavior under a specific condition what Tor Project wanted or even considered? Whether if a base domain is blocked, all 3rd party sites should be shown as allowed or blocked.

This was for the medium-high security level where we only allow scripts on HTTPS pages. This means if http:// is used in the URL bar then no script on that page is allowed to get executed. If https:// is used only scripts loaded with https:// are allowed to get executed.

When base domain is blocked, not sure if allowed 3rd party sites / scripts would ever under any circumstance be able to execute under NS or TBB. Key phrase is "ever under any circumstance," vs. "probably won't."

If you mean with "blocked" doing that manually by blacklisting a domain, I don't know. That's not how we use/intend to use that feture.

Barbaz gave no real explanation - why or when the described behavior would be desirable or expected by most users.

Even if 3rd party scripts could never execute when a base domain is blocked, showing them as "allowed" is probably disconcerting and not what users prefer to see. Far less significant GUI quirks than this have been fixed.

If enabling some TBB / Tor Button option made it incorrectly show "You are NOT connected to Tor network," most users wouldn't want to ignore that as just a quirk.

True, but note the different scenario: here we are the ones that are responsible for the TBB/Torbutton option. Thus, it falls into our bug tracker. But on the other hand we are not maintaining NoScript nor are we patching it before compiling or plan to do so. We just use a feature of it as it is expected to work. If there are folks like you who want to have it function in a different use-case as well, going to the NoScript author(s) is the way to do it.

Note: See TracTickets for help on using tickets.