#23324 closed defect (not a bug)

Tor Browser can't render nationalgeographic.com pages on security level high

Reported by: l0b0 Owned by: jsha
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: legind Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

http://www.nationalgeographic.com/ (for example) does not seem to render at all, showing up as a white page with nothing on it. The page renders fine in Firefox.

The difference between the page saved as "Web Page, HTML only" in Tor Browser and Firefox is just in various "id" attributes and an "applicationTime" JS object property. However, the Inspector tab shows very different structures: In Tor Browser there is nothing after the div with class "mt3_visuallyhidden" except the end "body" and "html" tags.

I tested with only the TorButton and TorLauncher extensions enabled.

Using Tor Browser 7.0.4 (based on Mozilla Firefox 52.3.0) (64-bit) and Firefox 55.0.2 (64-bit).

Child Tickets

Change History (6)

comment:1 Changed 21 months ago by gk

Cc: legind added
Component: Applications/Tor BrowserHTTPS Everywhere/EFF-HTTPS Everywhere
Owner: changed from tbb-team to jsha

I get

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /aem-proxy/.

Reason: Error reading from remote server

Turns out this is an HTTPS-Everywhere bug, though, as disabling it allows the page to render properly.

comment:2 Changed 21 months ago by l0b0

As I said, "I tested with only the TorButton and TorLauncher extensions enabled." In other words, I specifically disabled the HTTPS Everywhere and NoScript extensions, restarted Tor Browser, and loaded the URL. I could try *removing* the disabled extensions, but I don't expect that would make any difference. I also don't see the proxy error.

comment:3 Changed 21 months ago by gk

Status: newneeds_information

Aha! Do you get the proxy error with HTTPS-Everywhere enabled? Which operating system are you on? Do you get any error messages in the browser console (Ctrl + Shift + J)?

comment:4 Changed 21 months ago by gk

Which security slider setting are you on in case you touched that one?

comment:5 Changed 21 months ago by l0b0

After reverting back to default extensions (HTTPS Everywhere, NoScript, Torbutton, TorLauncher), loading http://www.nationalgeographic.com/ and allowing all JavaScript there, I still get just a blank page.

I'm on up-to-date Arch Linux.

I get no console messages whatsoever during a hard refresh of http://www.nationalgeographic.com/.

The security level is set to "High". Setting it to "Medium" works around the issue. This is strange, since according to the security slider window the only changes applied are that SVG images are disabled and website-provided fonts are blocked. Neither of these should be necessary to render the page in its entirety. For example, the banner image is not at any level inside an SVG element.

comment:6 in reply to:  5 Changed 21 months ago by gk

Component: HTTPS Everywhere/EFF-HTTPS EverywhereApplications/Tor Browser
Resolution: not a bug
Status: needs_informationclosed
Summary: Tor Browser can't render nationalgeographic.com pagesTor Browser can't render nationalgeographic.com pages on security level high

Replying to l0b0:

After reverting back to default extensions (HTTPS Everywhere, NoScript, Torbutton, TorLauncher), loading http://www.nationalgeographic.com/ and allowing all JavaScript there, I still get just a blank page.

I'm on up-to-date Arch Linux.

I get no console messages whatsoever during a hard refresh of http://www.nationalgeographic.com/.

The security level is set to "High". Setting it to "Medium" works around the issue. This is strange, since according to the security slider window the only changes applied are that SVG images are disabled and website-provided fonts are blocked. Neither of these should be necessary to render the page in its entirety. For example, the banner image is not at any level inside an SVG element.

Okay, the HTTPS Everywhere related error was due to a slightly outdated extension version (I did not update it after extracting a clean 7.0.4). And, yes, allowing SVG content allows the page to render properly. I guess what is happening is that the site is trying to load some SVG stuff very early and stops then not rendering other elements that are not SVG dependent. Anyway, nothing we can do about it.

Note: See TracTickets for help on using tickets.