Opened 13 months ago

Closed 13 months ago

Last modified 13 months ago

#23718 closed defect (fixed)

Not able to log on to Protonmail with latest NoScript

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: noscript
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

With the latest version of Tor browser (7.0.6 (based on Mozilla Firefox 52.4.0) (64-bit)) it is no longer possible to login to Protonmail. After entering the logon credentials and pressing the login button the process gets stuck with showing the rotating atom and the text decrypting. This happens both at their onion address and their regular address. I've set to allow javascripts globally and set the security slider to low. Didn't make any difference.

Child Tickets

Change History (29)

comment:1 Changed 13 months ago by arma

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 13 months ago by arma

(This person reported the issue on irc, and I asked another random person on irc to try it too and they had the same problem. So I figured it was time for a ticket.)

comment:3 Changed 13 months ago by cypherpunks

Yup, it throws this error in teh browser console:

Error: Unhandled error in openpgp worker: NetworkError: Failed to load worker script at openpgp.min.js?rel=51671db22f (nsresult = 0x805e0006) (https://protonirockerxow.onion/openpgp.worker.min.js?rel=e82635bcaa:1)              openpgp.min.js:10:29944
NetworkError: Failed to load worker script at openpgp.min.js?rel=51671db22f (nsresult = 0x805e0006)              openpgp.worker.min.js:1

I'm not sure if this is more of an issue on their end than a TB issue.

comment:4 Changed 13 months ago by cypherpunks

Keywords: noscript added
Owner: changed from tbb-team to ma1
Status: newassigned
Summary: Not able to log on to Protonmail with latest (7.0.6) version of Tor browserNot able to log on to Protonmail with latest NoScript

Yeah, that's an untested update again, even on stable :(

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:5 in reply to:  4 ; Changed 13 months ago by gk

Cc: ma1 added
Owner: changed from ma1 to tbb-team

Replying to cypherpunks:

Yeah, that's f*cking untested update again, even on stable :(

Why is that a NoScript issue? Which NoScript version broke that (if so)?

comment:6 Changed 13 months ago by gk

Status: assignedneeds_information

comment:7 in reply to:  5 Changed 13 months ago by cypherpunks

Status: needs_informationnew

Replying to gk:

Replying to cypherpunks:

Yeah, that's f*cking untested update again, even on stable :(

Why is that a NoScript issue?

Good morning, Georg.
Because it appears after updating NoScript only.

Which NoScript version broke that (if so)?

About NoScript gives https://noscript.net/changelog#5.1.0 (no?)

@cpunk: Why the f* do you allow yourself editing comments that don't belong to you?

comment:8 Changed 13 months ago by ma1

Please check latest development build 5.1.1rc1, thanks.

comment:9 in reply to:  8 ; Changed 13 months ago by Dbryrtfbcbhgf

Replying to ma1:

Please check latest development build 5.1.1rc1, thanks.

I tried to login with TorBrowser 7.5a5 using NoScript 5.1.1rc1 and it still gets stuck loading for a very long time "a few minutes" until TorBrowser gives me the option to Stop the webpage because it is slowing down my browser.

Tested on Protonmail's onion site https://protonirockerxow.onion/login

Last edited 13 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:10 in reply to:  9 ; Changed 13 months ago by gk

Replying to Dbryrtfbcbhgf:

Replying to ma1:

Please check latest development build 5.1.1rc1, thanks.

I tried to login with TorBrowser 7.5a5 using NoScript 5.1.1rc1 and it still gets stuck loading for a very long time "a few minutes" until TorBrowser gives me the option to Stop the webpage because it is slowing down my browser.

Tested on Protonmail's onion site https://protonirockerxow.onion/login

Which security slider level are you on (this might in fact be a different problem if you are not on "Low")? If not on "Low" could you please test with that one?

comment:11 in reply to:  10 Changed 13 months ago by Dbryrtfbcbhgf

Replying to gk:

Replying to Dbryrtfbcbhgf:

Replying to ma1:

Please check latest development build 5.1.1rc1, thanks.

I tried to login with TorBrowser 7.5a5 using NoScript 5.1.1rc1 and it still gets stuck loading for a very long time "a few minutes" until TorBrowser gives me the option to Stop the webpage because it is slowing down my browser.

Tested on Protonmail's onion site https://protonirockerxow.onion/login

Which security slider level are you on (this might in fact be a different problem if you are not on "Low")? If not on "Low" could you please test with that one?

I was previously testing it on the high setting, and when I tried the low setting it works, it is still not fast but much faster than the high setting.

comment:12 Changed 13 months ago by cypherpunks

Priority: MediumVery High
Severity: NormalCritical

Holy shit! Untested updates are restartless now!
NoScript icon disappeared and

06:09:49.100 CustomizableUI:Widget 'noscript-tbb' not found, unable to move 1 CustomizableUI.jsm:1149
06:09:48.188 TypeError: ABE is undefined 1 ABE.js:1198:21
06:09:48.189 TypeError: WAN is undefined 1 ABE.js:1186:23
[10-01 06:09:49] Torbutton NOTE: tor domain isolator error: channel.loadInfo is null
No matching message handler for the given recipient.  MessageChannel.jsm:621
	_handleMessage/</< resource://gre/modules/MessageChannel.jsm:621:11
06:09:52.283 XML Parsing Error: undefined entity
Location: jar:file:///C:/Browser/TorBrowser/Data/Browser/profile.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/chrome/content/noscript/noscriptOverlayFx57.xul?1br8nr5ksqe792k1ufps
Line Number 27, Column 5: 1 noscriptOverlayFx57.xul:27:5
06:09:52.284 TypeError: widgetTemplate is null 1 Restartless.jsm:90:7
1506838192300	addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}	WARN	Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing permissions.1: Unknown permission "privacy"
[10-01 06:09:52] Torbutton INFO: tor SOCKS: https://secure.informaction.com/ipecho/ via
                       --unknown--:15aa7212e8a2ea4c777afc7ffd9f0d30

etc...

comment:13 Changed 13 months ago by ma1

Is some Tor isolation machinery preventing NoScript from retrieving its XUL overlay template through XMLHttpRequest by blocking entity resolution? Is there a work-around I can use, or is up to you to make an exception (it's a local chrome:// URI resolution, AFAICT)?

And yes, NoScript 5.1 and above is restartless. It's been a huge effort and a race against time, but the only way to make the hybrid webextension actually work to migrate data (Mozilla forgot to tell that even if you had an embedded webextension, the already migrated data would be lost unless the legacy side was restartless).

comment:14 Changed 13 months ago by cypherpunks

Revert/fix this * immediately, or you'll ruin all TBB installations automatically.

TypeError: Date is undefined[Learn More] ClearClickHandler.js:318:9
console.trace():  inspector.js:770
	WalkerFront<.getMutations</< resource://devtools/shared/fronts/inspector.js:770
	Handler.prototype.process resource://gre/modules/Promise-backend.js:932
	this.PromiseWalker.walkerLoop resource://gre/modules/Promise-backend.js:813
	this.PromiseWalker.scheduleWalkerLoop/< resource://gre/modules/Promise-backend.js:747
[10-01 08:11:51] Torbutton NOTE: Failed to update NoScript status for security setings: TypeError: win.noscriptOverlay is undefined

Torbutton asks to Restore Defaults now...

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:15 Changed 13 months ago by cypherpunks

This is a first sabotage in the World's First Internet War.
But, seriously, it's not hilarious anymore.
This is, actually, Mozilla's war against add-on developers, but we should protect users of TBB stable, at least.

comment:16 Changed 13 months ago by cypherpunks

Wow, the security slider was completely screwed up, might have to stick again with sandboxed-tor-browser which disables automatic updates for addons. Hopefully this will get more incentive to fix #22974 for NoScript at least ASAP.

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:17 Changed 13 months ago by cypherpunks

Seems NoScript doesn't honor domain isolation too. See #20195.

09:02:36.013 [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://noscript/content/Restartless.jsm?0.6823539743381042.1506848511800 :: loadIntoWindow :: line 139"  data: no] 1 (unknown)	
	loadIntoWindow chrome://noscript/content/Restartless.jsm:139:5
	observe chrome://noscript/content/Restartless.jsm:164:11

comment:18 Changed 13 months ago by ma1

Does anybody with some knowledge of Tor's internal know if there's anything I can do to let my XMLHttpRequest-loaded XUL document ("chrome/content/noscript/noscriptOverlayFx57.xul") succeed in resolving entities against "chrome://noscript/locale/noscript.dtd"? Thanks!

comment:19 in reply to:  18 Changed 13 months ago by cypherpunks

Replying to ma1:

Does anybody with some knowledge of Tor's internal know

Usually Tor folks know nothing about browser's internals. And TBB Team is absent on Saturday/Sunday.

if there's anything I can do to let my XMLHttpRequest-loaded XUL document ("chrome/content/noscript/noscriptOverlayFx57.xul") succeed in resolving entities against "chrome://noscript/locale/noscript.dtd"? Thanks!

Workaround: set extensions.torbutton.resource_and_chrome_uri_fingerprinting to true.

comment:20 in reply to:  description Changed 13 months ago by improperthumping

Workarounds

Disable NoScript

Disable NoScript to login into ProtonMail.

If you trust ProtonMail and go nowhere else for the Tor session this seems to be a reasonable option. Any feedback?

comment:21 in reply to:  18 ; Changed 13 months ago by gk

Priority: Very HighHigh
Severity: CriticalMajor
Status: newneeds_information

Replying to ma1:

Does anybody with some knowledge of Tor's internal know if there's anything I can do to let my XMLHttpRequest-loaded XUL document ("chrome/content/noscript/noscriptOverlayFx57.xul") succeed in resolving entities against "chrome://noscript/locale/noscript.dtd"? Thanks!

I don't have time debugging this now but it seems we have a hint on what is going on (see comment:19). I guess our code blocking content scripts from accessing resources which is a severe fingerprinting vector is interfering with NoScript's code. That saif: what's the impact of this issue? I tested updating Noscript to 5.1.1 both in Tor Browser 7.0.6 and 7.5a5 and while I saw the same error in the browser console I kept a working NoScript and the security slider was not messed up as comment:16 reports (and other users, too, on IRC). Thus, we have at least one additional bug that is causing this or could that somehow be a result of Tor Browser breaking the entity resolution? If so, how can I reproduce this?

Oh, and I guess we should create a new bug for that and not clutter that one as the Protonmail issue should be resolved with 5.1.1.

comment:22 in reply to:  21 Changed 13 months ago by cypherpunks

Replying to gk:

I don't have time debugging this now but it seems we have a hint on what is going on (see comment:19). I guess our code blocking content scripts from accessing resources which is a severe fingerprinting vector is interfering with NoScript's code. That saif: what's the impact of this issue? I tested updating Noscript to 5.1.1 both in Tor Browser 7.0.6 and 7.5a5 and while I saw the same error in the browser console I kept a working NoScript and the security slider was not messed up as comment:16 reports (and other users, too, on IRC). Thus, we have at least one additional bug that is causing this or could that somehow be a result of Tor Browser breaking the entity resolution? If so, how can I reproduce this?

That bug (or at least its effect) is temporary: it goes away when restarting the browser. I think the correct way to reproduce this is to start with a stock 7.0.6 and 7.5a5, go to about:addons, and then click on the gear icon and choose Check for updates, you will then experience the bug that was described.

Edit: However, the NoScript icon gets displaced into the very right when restarting the browser, and it's no longer on the left of the Torbutton.

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:23 in reply to:  21 ; Changed 13 months ago by cypherpunks

Status: needs_informationnew

Okay, folks, gk is here. Moving to a new ticket...

Replying to gk:

I don't have time debugging this now

Out of curiosity, what work are you busy with?

but it seems we have a hint on what is going on (see comment:19).

Debugging on a weekend, while team doesn't have time.

I guess our code blocking content scripts from accessing resources which is a severe fingerprinting vector is interfering with NoScript's code. That said: what's the impact of this issue?

Very high, critical.

I tested updating Noscript to 5.1.1 both in Tor Browser 7.0.6 and 7.5a5 and while I saw the same error in the browser console I kept a working NoScript and the security slider was not messed up as comment:16 reports (and other users, too, on IRC). Thus, we have at least one additional bug that is causing this or could that somehow be a result of Tor Browser breaking the entity resolution? If so, how can I reproduce this?

It is a new "feature" of a new "restartless update". Available since 5.1.0.

Oh, and I guess we should create a new bug for that and not clutter that one as the Protonmail issue should be resolved with 5.1.1.

Yeah, we have much more severe issues now.

comment:24 in reply to:  23 Changed 13 months ago by cypherpunks

Replying to cypherpunks:

Very high, critical.

I disagree, a simple restart of the browser fixes the issue, it's at best High, Major. Also your tone doesn't help, we should be respectful here and stay on-topic.

comment:25 in reply to:  23 Changed 13 months ago by gk

Resolution: fixed
Status: newclosed

Replying to cypherpunks:

Okay, folks, gk is here. Moving to a new ticket...

Replying to gk:

I don't have time debugging this now

Out of curiosity, what work are you busy with?

but it seems we have a hint on what is going on (see comment:19).

Debugging on a weekend, while team doesn't have time.

I guess our code blocking content scripts from accessing resources which is a severe fingerprinting vector is interfering with NoScript's code. That said: what's the impact of this issue?

Very high, critical.

What I meant was whether the issue that is now #23723 is preventing NoScript from functioning properly or not. (It seems to me this bug is *not* preventing NoScript form behaving properly).

I tested updating Noscript to 5.1.1 both in Tor Browser 7.0.6 and 7.5a5 and while I saw the same error in the browser console I kept a working NoScript and the security slider was not messed up as comment:16 reports (and other users, too, on IRC). Thus, we have at least one additional bug that is causing this or could that somehow be a result of Tor Browser breaking the entity resolution? If so, how can I reproduce this?

It is a new "feature" of a new "restartless update". Available since 5.1.0.

That could be it and would explain why I can't reproduce it by testing with clean 7.0.6 and 7.5a5 bundles.

Oh, and I guess we should create a new bug for that and not clutter that one as the Protonmail issue should be resolved with 5.1.1.

Yeah, we have much more severe issues now.

I created #23723 and #23724. Please move follow-up discussions to the respective bugs. This one got fixed with 5.1.1 it seems.

comment:26 Changed 13 months ago by cypherpunks

We'd really like to know what work has higher priority than this one, why don't you answer?

Please move follow-up discussions to the respective bugs.

No problem. comment:12 was an immediate feedback to ma1, when he had ruined my installations instead of testing his update.

comment:27 Changed 13 months ago by Dbryrtfbcbhgf

Resolution: fixed
Status: closedreopened

On the medium and High security settings, I keep getting the error below when I enter a wrong username and password. And it takes more than a minute to say that my password is incorrect. Protonmail never took this long when The security setting was above the low setting in past versions.

"A webpage is slowing down your browser what would you like to do?"
Update.
Entering the correct username and password still causes the website to take more than a minute to log me in.

Last edited 13 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:28 in reply to:  26 Changed 13 months ago by cypherpunks

Resolution: fixed
Status: reopenedclosed

Replying to cypherpunks:

We'd really like to know what work has higher priority than this one, why don't you answer?

Please stop being off-topic.

Replying to Dbryrtfbcbhgf:

The security setting was above the low setting in past versions.

"A webpage is slowing down your browser what would you like to do?"

This is because of JIT being disabled in Medium-High. You didn't see it in previous versions because of a bug that didn't cause JIT to be disabled.

Note: See TracTickets for help on using tickets.