Opened 11 months ago

Closed 4 months ago

Last modified 3 months ago

#21270 closed defect (fixed)

TBB noscript settings break WebExtensions addons

Reported by: replaythesong Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability, tbb-security-slider
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In TBB 6.0.8, depending on the position of the security slider, NoScript can end up blocking WebExtensions background scripts from running, breaking some firefox addons entirely.

This occurs when security slider is medium-high or high, unless moz-extension: is added to capability.policy.maonoscript.sites.

This bug does not seem to affect vanilla FF with latest NoScript installed, unless capability.policy.maonoscript.sites is set to the value used in TBB. Which is why I'm reporting it as a TBB bug, not a NoScript bug.

NB This bug does not prevent WebExtension content scripts from running, but blocking background scripts is still enough to break many WebExtensions.

Suggested fix: default prefs shipped with TBB should include moz-extension: in capability.policy.maonoscript.sites, (unless this has undesired security outcomes that I'm not aware of).

Steps to reproduce

  1. Create a directory somewhere called ping.
  2. Create a file ping/manifest.json which contains:

{

"manifest_version": 2,
"name": "Ping Test",
"version": "1.0",

"description": "Tiny extension which pings the console from a bg script.",

"background": {

"scripts": ping.js?

},

"applications": {

"gecko": {

"id": "ping@…",
"strict_min_version": "42.0",
"strict_max_version": "50.*"

}

}

}

  1. Create a file ping/ping.js which simply contains:

console.log('ping');

  1. Open Tor Browser, browse to about:config and set xpinstall.signatures.required to false, so that we will be allowed to install our own extensions.
  1. Set security slider to medium-high.
  1. Open Browser Console (Ctrl-Shift-J) and click 'Clear'.
  1. Browse to about:debugging, click 'Load Temporary Addon' and select ping/manifest.json.
  1. Go to Browser Console and note that 'ping' has NOT appeared.
  1. Set security slider to medium-low.
  1. Browse to about:addons. Disable 'Ping Test' then re-enable it.
  1. Go to Browser Console and note that 'ping' HAS now appeared.
  1. Set security slider back to medium-high.
  1. Browse to about:config and add " moz-extension:" to the end of capability.policy.maonoscript.sites.
  1. Clear the Browser Console.
  1. Browse to about:addons. Disable 'Ping Test' then re-enable it.
  1. Note that 'ping' HAS appeared.
  1. To clean up, just remove 'Ping Test' and set xpinstall.signatures.required and the security slider back to your preferred settings.

Child Tickets

Change History (5)

comment:1 Changed 11 months ago by replaythesong

Sorry, should have previewed before posting; wiki formatting has misinterpreted the square brackets in manifest.json, and hidden the addon id because it looks like an email address. The file contents should be:

{
  "manifest_version": 2,
  "name": "Ping Test",
  "version": "1.0",

  "description": "Tiny extension which pings the console from a bg script.",

  "background": {
    "scripts": ["ping.js"]
  },

  "applications": {
    "gecko": {
      "id": "ping@ping.me",
      "strict_min_version": "42.0",
      "strict_max_version": "50.*"
    }
  }
}

comment:2 Changed 11 months ago by gk

Keywords: tbb-usability tbb-security-slider added

comment:3 Changed 10 months ago by replaythesong

In TBB 6.5, security slider has 3 settings instead of 4. Bug occurs in medium or high, but not in low.

So, in steps to reproduce, replace 'medium-low' with 'low' and replace 'medium-high' with 'medium'.

An aside: in 6.5, when moz-extension: is added so that the script does finally run in medium (or high), it is now accompanied by an error in noscript/DOM.js:

NS_NOINTERFACE: Component returned failure code: 0x80004002 (NS_NOINTERFACE) [nsIInterfaceRequestor.getInterface]

This error does not appear to prevent the script running. It does not appear at all in 'low' security mode.

comment:4 Changed 4 months ago by gk

Resolution: fixed
Status: newclosed

This bug should be fixed by #23258.

comment:5 Changed 3 months ago by gk

Closed #23342 as duplicate.

Last edited 3 months ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.