TBB noscript settings break WebExtensions addons
In TBB 6.0.8, depending on the position of the security slider, NoScript can end up blocking WebExtensions background scripts from running, breaking some firefox addons entirely.
This occurs when security slider is medium-high or high, unless moz-extension: is added to capability.policy.maonoscript.sites.
This bug does not seem to affect vanilla FF with latest NoScript installed, unless capability.policy.maonoscript.sites is set to the value used in TBB. Which is why I'm reporting it as a TBB bug, not a NoScript bug.
NB This bug does not prevent WebExtension content scripts from running, but blocking background scripts is still enough to break many WebExtensions.
Suggested fix: default prefs shipped with TBB should include moz-extension: in capability.policy.maonoscript.sites, (unless this has undesired security outcomes that I'm not aware of).
Steps to reproduce
- Create a directory somewhere called ping.
- Create a file ping/manifest.json which contains:
{ "manifest_version": 2, "name": "Ping Test", "version": "1.0",
"description": "Tiny extension which pings the console from a bg script.",
"background": { "scripts": ["ping.js"] },
"applications": { "gecko": { "id": "ping@ping.me", "strict_min_version": "42.0", "strict_max_version": "50.*" } } }
- Create a file ping/ping.js which simply contains:
console.log('ping');
-
Open Tor Browser, browse to about:config and set xpinstall.signatures.required to false, so that we will be allowed to install our own extensions.
-
Set security slider to medium-high.
-
Open Browser Console (Ctrl-Shift-J) and click 'Clear'.
-
Browse to about:debugging, click 'Load Temporary Addon' and select ping/manifest.json.
-
Go to Browser Console and note that 'ping' has NOT appeared.
-
Set security slider to medium-low.
-
Browse to about:addons. Disable 'Ping Test' then re-enable it.
-
Go to Browser Console and note that 'ping' HAS now appeared.
-
Set security slider back to medium-high.
-
Browse to about:config and add " moz-extension:" to the end of capability.policy.maonoscript.sites.
-
Clear the Browser Console.
-
Browse to about:addons. Disable 'Ping Test' then re-enable it.
-
Note that 'ping' HAS appeared.
-
To clean up, just remove 'Ping Test' and set xpinstall.signatures.required and the security slider back to your preferred settings.
Trac:
Username: replaythesong