Opened 2 years ago

Last modified 2 years ago

#22699 new enhancement

Use browser pref for javascript at High Security Level

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-security-slider, TorBrowserTeam201708
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It would be wise to set javascript.enabled to false in about:config at the high security level, in addition to having NoScript disable scripting for us. This should be an easy change, and there is no reason to exclusively depend on NoScript. NoScript could miss something, especially if the e10s transition caused a lot of upheaval.

(Similarly, Firefox could miss something, since javascript.enabled is no longer a UI-exposed pref, so we should do both, for defense in depth.)

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by cypherpunks

And get "Temporarily allow all this page" broken?

comment:2 Changed 2 years ago by gk

Keywords: TorBrowserTeam201706 added

Good idea.

comment:3 Changed 2 years ago by gk

Keywords: TorBrowserTeam201707 added; TorBrowserTeam201706 removed

Moving Tickets to July 2017.

comment:4 in reply to:  1 Changed 2 years ago by gk

Replying to cypherpunks:

And get "Temporarily allow all this page" broken?

Yes, the easy change, just adding javascript.enabled to the slider and have it set to false on the highest level, does not work pretty well with temporarily allowing JavaScript.

What we could do, though, is trying to bind javascript.enabled to the slider mode AND temporary NoScript permissions: if there are no websites where JavaScript is temporarily allowed AND the slider is on the highest level then javascript.enabled is set to false. Otherwise it is set to true. One of the downsides with this approach, though, is that the state of a global pref (javascript.enabled) can now depend on domain-wide decisions (i.e. allowing JavaScript on particular domains only). That's confusing but might be okay, given that allowing scripts on the highest security level is not recommended anyway.

Last edited 2 years ago by gk (previous) (diff)

comment:5 in reply to:  2 Changed 2 years ago by cypherpunks

Keywords: tbb-security-slider TorBrowserTeam201708 added; TorBrowserTeam201707 removed

Replying to gk:

Good idea.

Yours is better.

comment:6 Changed 2 years ago by cypherpunks

Given ticket:23258#comment:22, #23399, #18592 and https://bugzilla.mozilla.org/show_bug.cgi?id=971650, this idea doesn't look so good. It was discussed in #1811.

Note: See TracTickets for help on using tickets.