Opened 3 years ago

Closed 7 months ago

#21004 closed defect (fixed)

"JavaScript is disabled by default on all non-HTTPS sites" option shouldn't block JS on hidden services

Reported by: righnaw Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security-slider, noscript, TorBrowserTeam201910R
Cc: nido, ma1 Actual Points:
Parent ID: #21728 Points:
Reviewer: Sponsor:

Description

"JavaScript is disabled by default on all non-HTTPS sites" option shouldn't block JS on hidden services

Child Tickets

Change History (13)

comment:1 Changed 3 years ago by cypherpunks

Why? There are a lot of onion sites that relay on java script and use https, too, such as https://facebookcorewwwi.onion/

comment:2 Changed 3 years ago by gk

Keywords: tbb-security-slider added

comment:3 in reply to:  1 Changed 3 years ago by righnaw

Replying to cypherpunks:

Why? There are a lot of onion sites that relay on java script and use https, too, such as https://facebookcorewwwi.onion/

But onion services already offer end to end encryption just like https, so they should be treated the same way, right?

comment:4 Changed 3 years ago by i139

the problem isn't only the encryption, but also the identity authentication, a CA never will authentific a untrusted site, like a fake site, clone site or whatever like those

comment:5 Changed 3 years ago by micah

This happens with Riseup's onion version of webmail (roundcube): http://zsolxunfmbfuq7wf.onion

If you login to the site with the TBB security settings set to Medium, javascript is disabled because it is not using https. This results in severe degradation in functionality of the site, so much so that you cannot even logout.

Either we have a way of issuing certificates for onion sites, or we should whitelist this restriction when using onion sites, otherwise you get the worst of both worlds :)

Last edited 3 years ago by micah (previous) (diff)

comment:6 Changed 3 years ago by tom

Hm. I wonder why #21321 didn't resolve this?

comment:7 in reply to:  6 ; Changed 3 years ago by arma

Replying to tom:

Hm. I wonder why #21321 didn't resolve this?

I thought the patches for #21321 just disabled the new firefox "yell extra loud if they're about to submit something over http" features when you're on an onion site. And that there were more steps to be taken if you want the browser to actually treat onion sites as being like https in all ways.

comment:8 in reply to:  7 Changed 3 years ago by gk

Replying to arma:

Replying to tom:

Hm. I wonder why #21321 didn't resolve this?

I thought the patches for #21321 just disabled the new firefox "yell extra loud if they're about to submit something over http" features when you're on an onion site. And that there were more steps to be taken if you want the browser to actually treat onion sites as being like https in all ways.

Correct.

comment:9 Changed 3 years ago by boklm

Cc: nido added

#24143 is a duplicate.

comment:10 Changed 8 months ago by gk

Cc: ma1 added
Keywords: noscript added

comment:11 Changed 7 months ago by gk

Parent ID: #21728

comment:13 Changed 7 months ago by gk

Keywords: TorBrowserTeam201910R added
Resolution: fixed
Status: newclosed

Fixed with the bump to 11.0.4 (commit 6cbbd55840577c4d3ab5581e76cffde26a5f5ff6 and 8623975e60c99b2a526bbda133168d7de5f8d329 on tor-browser-build's maint-9.0 and master branches), thanks!

Note: See TracTickets for help on using tickets.