Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#21923 closed defect (fixed)

Allowing only HTTPS JavaScript on the medium security slider level is broken

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript, tbb-usability, ff52-esr, TorBrowserTeam201704R
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In

isGlobalHttps: function(win, /*optional */ s) {
    let allow = false;
    if (s && !this._isHttpsAndNotUntrusted(s)) return false;

    for (;; win = win.parent) {
      let site = this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
      if (!(allow = s && site === s || this._isHttpsAndNotUntrusted(site)) || win === win.parent)
        break;
      s = site;
    }

    return allow;
  },
let site = this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));

breaks as win is null.

This happens on a Tor Browser nightly with e10s enabled and based on ESR52 (tested on Linux 64 bits). The result is that the NoScript icon does not get updated anymore and I guess all JS is disabled (I have not verified that).

Child Tickets

Change History (14)

comment:1 Changed 8 months ago by cypherpunks

Priority: MediumVery High
Severity: NormalCritical

And

[04-17 20:04:10] Torbutton NOTE: Failed to update NoScript status for security setings: TypeError: win is null

comment:2 Changed 8 months ago by ma1

Working on it, thanks.

comment:3 Changed 8 months ago by ma1

It is a UI-only bug. The scripts are blocked or allowed according to the HTTPS status as designed, because the checks happen in the content process.
Unfortunately the UI-side, living in the parent process, cannot touch the DOM window. Nevertheless, we've got the URL available, so a work-around is on its way :)

comment:4 Changed 8 months ago by ma1

Status: newneeds_review

Please check 5.0.3rc5 from https://noscript.net/getit#devel
Thanks!

comment:5 Changed 8 months ago by cypherpunks

16:02:59.098 Error: Only restartless (bootstrap) add-ons can be installed from sources:
Stack trace:
this.XPIProvider.installAddonFromLocation<@resource://gre/modules/addons/XPIProvider.jsm:4151:13
TaskImpl_run@resource://gre/modules/Task.jsm:319:42
Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:932:23
this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:813:7
this.PromiseWalker.scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11

1 controls.js:63:9

loadAddonFromFile/< resource://devtools/client/aboutdebugging/components/addons/controls.js:63:9
Handler.prototype.process resource://gre/modules/Promise-backend.js:935:21
this.PromiseWalker.walkerLoop resource://gre/modules/Promise-backend.js:813:7
this.PromiseWalker.scheduleWalkerLoop/< resource://gre/modules/Promise-backend.js:747:11

comment:6 Changed 8 months ago by gk

Keywords: TorBrowserTeam201704R added

comment:7 in reply to:  5 ; Changed 8 months ago by ma1

Replying to cypherpunks:

16:02:59.098 Error: Only restartless (bootstrap) add-ons can be installed from sources:
Stack trace:
this.XPIProvider.installAddonFromLocation<@resource://gre/modules/addons/XPIProvider.jsm:4151:13

Where are you installing the XPI from? Did you try from the URL I provided you with, or from AMO ( https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/beta )?

comment:8 in reply to:  7 ; Changed 8 months ago by cypherpunks

Replying to ma1:

Replying to cypherpunks:

16:02:59.098 Error: Only restartless (bootstrap) add-ons can be installed from sources:
Stack trace:
this.XPIProvider.installAddonFromLocation<@resource://gre/modules/addons/XPIProvider.jsm:4151:13

Where are you installing the XPI from? Did you try from the URL I provided you with, or from AMO ( https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/beta )?

Didn't you guess? ;-)
From your URL it failed with

1492633619500	addons.xpi	WARN	Download of https://secure.informaction.com/download/betas/noscript-5.0.3rc5.xpi failed: [Exception... "Certificate issuer is not built-in."  nsresult: "0x80004004 (NS_ERROR_ABORT)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 171"  data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:171 < onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:6547

From AMO - works.

comment:9 in reply to:  8 ; Changed 8 months ago by ma1

Replying to cypherpunks:

Didn't you guess? ;-)
From your URL it failed with [...]
From AMO - works.

No, I didn't and couldn't guess: those XPI files are identical (I sinchronize them as soon as they're signed by AMO) and they both install fine on a stable Firefox. Weird.

But, can you verify the bug reported here is fixed?

comment:10 in reply to:  9 Changed 8 months ago by cypherpunks

Replying to ma1:

Replying to cypherpunks:

Didn't you guess? ;-)
From your URL it failed with [...]
From AMO - works.

No, I didn't and couldn't guess: those XPI files are identical (I sinchronize them as soon as they're signed by AMO) and they both install fine on a stable Firefox. Weird.

Well, it was 'Temporary load add-on for debugging' feature :)

But, can you verify the bug reported here is fixed?

Hmm, how to say? Testing revealed:

  1. https://check.torproject.org/?lang=en_US now is loading forever with no success (e10s), or there is OCSP failure (non-e10s).
  2. reloading youtube after high->medium gives no svg, etc (not noscript-related?), second reloading works.
  3. video is behind placeholder which allows video/mse, after clicking, reloading leads to error on video, because audio/mse is blocked (but no placeholder).
  4. seems it was ad video, because after enabling audio/mse from menu, there is an error again, because video/mse was blocked (but no placeholder again).
  5. strong feeling that that's not all ;)

comment:11 in reply to:  4 ; Changed 8 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to ma1:

Please check 5.0.3rc5 from https://noscript.net/getit#devel
Thanks!

That one fixes the issue, thanks. Closing this ticket. The next NoScript update will contain the fix I guess.

comment:12 Changed 8 months ago by gk

Keywords: tbb-usability added; tbb-usability-website removed

comment:13 Changed 8 months ago by gk

Priority: Very HighMedium
Severity: CriticalNormal

comment:14 in reply to:  11 Changed 8 months ago by ma1

Replying to gk:

That one fixes the issue, thanks. Closing this ticket. The next NoScript update will contain the fix I guess.

It does. 5.0.3 stable is published on AMO now, thanks for reporting this.

Note: See TracTickets for help on using tickets.