Allow javascript: links from HTTPS first party pages

When we consolidate the security slider options into just "High", "Medium", and "Default", we should ask Giorgio if he can give us a way to allow javascript: links when JS is enabled for HTTPS first party pages (but not http pages).

This is the main thing that I've noticed breaking on "Medium-High", which if we make the new "Medium", we should definitely fix.

added TorBrowserTeam201612 component::applications/tor browser noscript owner::ma1 priority::medium resolution::fixed severity::normal status::closed tbb-security-slider tbb-usability-website type::defect labels

This got reported as #20097 (moved) and on our blog:

https://blog.torproject.org/blog/tor-browser-604-released#comment-203337

https://bug1259785.bmoattachments.org/attachment.cgi?id=8734814 is the testcase mentioned there. Closing #20097 (moved) in favor of this one which takes our new security slider (just 3 states instead of 4) into account.

Trac:
Keywords: tbb-usability deleted, tbb-security-slider, tbb-usability-website added

It's good that you find some of my comments on the blog useful :), only some of them, though :( And we need to cope with NoScript's whitelisting, because Giorgio is busy with fighting with e10s :(

#20818 (moved) is probably related.

Trac:
Keywords: N/A deleted, TorBrowserTeam201612 added

#18679 (moved) is a duplicate.

I have occasionally worked around this problem by opening the inspector and manually changing

<a href="javascript: codecodecode">

to

<a onclick="codecodecode">

Fixing this is in my TODO list for next release, thank you.

Trac:
Status: new to assigned
Owner: tbb-team to ma1

Replying to ma1:

Fixing this is in my TODO list for next release, thank you.

Thanks. Just to give you a heads-up on our timeframe for getting a stable 6.5 out (which includes the enhanced security slider): we currently plan to release 6.5 end of January 2017. Thus, if a NoScript version with a fix would be available by then that would be neat.

Should be fixed in NoScript 2.9.5.3rc6, https://noscript.net/getit#devel Please confirm.

Trac:
Status: assigned to needs_review

Replying to ma1: Nice. Could you also make Web Audio API "click-to-play" as WebGL?

Replying to ma1:

Should be fixed in NoScript 2.9.5.3rc6, https://noscript.net/getit#devel Please confirm.

Thanks, works for me.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Replying to cypherpunks:

Replying to ma1: Nice. Could you also make Web Audio API "click-to-play" as WebGL? Giorgio, where are you?

Your fix has a regression: if you temporarily allow JS for e.g. about:newtab. STR:

1. Search something with DDG.
2. Temporarily allow all this page for about:newtab.
3. JS is broken on DDG page, <meta http-equiv="refresh" content="0;URL=... is visible.

Trac:
Status: closed to reopened
Keywords: N/A deleted, noscript added
Resolution: fixed to N/A

Please, don't reopen old fixed bugs. Having a new one for your issue sounds like a better plan.

Trac:
Status: reopened to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#20471 (closed)