Opened 11 months ago

Closed 6 months ago

#20471 closed defect (fixed)

Allow javascript: links from HTTPS first party pages

Reported by: mikeperry Owned by: ma1
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website, tbb-security-slider, TorBrowserTeam201612, noscript
Cc: gk, ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When we consolidate the security slider options into just "High", "Medium", and "Default", we should ask Giorgio if he can give us a way to allow javascript: links when JS is enabled for HTTPS first party pages (but not http pages).

This is the main thing that I've noticed breaking on "Medium-High", which if we make the new "Medium", we should definitely fix.

Child Tickets

Change History (11)

comment:1 Changed 11 months ago by gk

Keywords: tbb-usability-website tbb-security-slider added; tbb-usability removed

This got reported as #20097 and on our blog:

https://blog.torproject.org/blog/tor-browser-604-released#comment-203337

https://bug1259785.bmoattachments.org/attachment.cgi?id=8734814 is the testcase mentioned there. Closing #20097 in favor of this one which takes our new security slider (just 3 states instead of 4) into account.

comment:2 Changed 11 months ago by bugzilla

It's good that you find some of my comments on the blog useful :), only some of them, though :(
And we need to cope with NoScript's whitelisting, because Giorgio is busy with fighting with e10s :(

comment:3 Changed 10 months ago by gk

Keywords: TorBrowserTeam201612 added

#20818 is probably related.

comment:4 Changed 10 months ago by dcf

#18679 is a duplicate.

I have occasionally worked around this problem by opening the inspector and manually changing

<a href="javascript: codecodecode">

to

<a onclick="codecodecode">

comment:5 Changed 10 months ago by ma1

Owner: changed from tbb-team to ma1
Status: newassigned

Fixing this is in my TODO list for next release, thank you.

comment:6 in reply to:  5 Changed 10 months ago by gk

Replying to ma1:

Fixing this is in my TODO list for next release, thank you.

Thanks. Just to give you a heads-up on our timeframe for getting a stable 6.5 out (which includes the enhanced security slider): we currently plan to release 6.5 end of January 2017. Thus, if a NoScript version with a fix would be available by then that would be neat.

comment:7 Changed 8 months ago by ma1

Status: assignedneeds_review

Should be fixed in NoScript 2.9.5.3rc6, https://noscript.net/getit#devel
Please confirm.

comment:8 in reply to:  7 ; Changed 8 months ago by cypherpunks

Replying to ma1:
Nice. Could you also make Web Audio API "click-to-play" as WebGL?

comment:9 in reply to:  7 Changed 8 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to ma1:

Should be fixed in NoScript 2.9.5.3rc6, https://noscript.net/getit#devel
Please confirm.

Thanks, works for me.

comment:10 in reply to:  8 Changed 6 months ago by cypherpunks

Keywords: noscript added
Resolution: fixed
Status: closedreopened

Replying to cypherpunks:

Replying to ma1:
Nice. Could you also make Web Audio API "click-to-play" as WebGL?

Giorgio, where are you?

Your fix has a regression: if you temporarily allow JS for e.g. about:newtab.
STR:

  1. Search something with DDG.
  2. Temporarily allow all this page for about:newtab.
  3. JS is broken on DDG page, <meta http-equiv="refresh" content="0;URL=... is visible.

comment:11 Changed 6 months ago by gk

Resolution: fixed
Status: reopenedclosed

Please, don't reopen old fixed bugs. Having a new one for your issue sounds like a better plan.

Note: See TracTickets for help on using tickets.