TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

https://forums.informaction.com/viewtopic.php?f=7&t=24484&sid=HELLO

Just try it. Tested by myself.

added TorBrowserTeam201802R component::applications/tor browser owner::tbb-team priority::high resolution::fixed severity::normal status::closed tbb-backported type::defect labels

I've already asked for help at Tor, but they don't care so I am asking here.

Tor Browser is including NoScript, your addon, and it's breaking other add-on's functionality.

To reproduce:
1. Download latest Tor Browser from the Tor project(7.5).
2. Go to https://trac.torproject.org/projects/tor/ticket/24943 and download a ZIP file in description.
3. Extract the zip.
4. In Tor browser, open about:addon, Gear, Debug add-on.
5. "Load temporary add-on", select "local/manifest.json" to load this test add-on.
6. Try to save something. When you click Save, it clear everything.

The problem will go away if you disable NoScript in Tor Browser.
Can you do something about this? Other addons on AMO which use browser.storage.local is suffering by this.

FWIW this does not seem to be a NoScript problem. I get the same behavior when I removed NoScript from the browser. Just used a vanilla Tor Browser to test that.

Trac:
Summary: TorBrowser's NoScript is breaking add-on system to TorBrowser's breaking add-ons using browser.storage.local

Trac:
Priority: High to Medium

Hi gk, did you tried comment:1's test add-on?

When I tried it on my fresh VM, it didn't work. After I disabled NoScript from about:addons, the test add-on worked correctly, saving my memo.

1 Fresh Windows 7 Virtual Machine 1 Tor Browser 7.5 downloaded from Tor project 1 Add-on zip from comment:1

I installed TB7.5 on Win7. Then I opened TB and went to about:add-ons, debug add-on, and load "local/manifest.json". Open about:add-ons and clicked the test add-on. Typed "tor" to the textarea and clicked "Save" button ---> everything cleared instantly

Went to about:add-ons and clicked NoScript's Disable button. Clicked the "Options" button of the test add-on. Typed "tor" to the textarea and clicked "Save" button ---> Saved

gk, are you using Linux? This might be a difference.

Related to: https://github.com/nym-zone/block_cloudflare_mitm_fx/issues/14#issuecomment-357488295

@gk

#24783 (moved) is about browser.storage.'sync'. The "browser.storage.local" should work on Firefox ESR 52 series including Tor Browser.

Yes, I tested on Linux. I resolved #24943 (moved) as a duplicate of this one.

Trac:

win7 test

Attached image result(tested on VM) Also tested on friend's live PC with TBB 7.5. Same result.

Trac:
Points: N/A to 100

I have 1 nonofficial addon in my TBB and 7.5 killed it. Windows 10. The add-on's settings are purged. I'm asking add-on's developer about this but it looks like this is the cause of the problem.

Trac:
Priority: Medium to High
Summary: TorBrowser's breaking add-ons using browser.storage.local to TorBrowser's NoScript is breaking add-on system

Need other test result from MacOS and Linux users.

Trac:
Status: new to needs_information

NoScript version 5.1.8.3 have a problem. I had to revert my browser...

Trac:
Username: sundayworker

Is there any valid reason why [System+Principal] (which is the very first entry in NoScript 5's "stock" mandatory whitelist) is not included in the default Tor Browser whitelist?

Anyway, this absence is the culprit (and in facts, this problem happens only in the Tor Browser which deploys its "special" shortlisted mandatory whitelist).

The Tor Browser enforces permissions cascading, and in the Add-ons Options window the top frame is about:addons, whose principal's origin is [System+Principal]. Since this origin is omitted from Tor Browser's version of NoScript mandatory whitelist, the top site by default is considered forbidden, cascading down script blocking to the WebExtension's subframe.

Temporary work-around for users having this problem: manually add [System+Principal] to your whitelist.

Trac:
Summary: TorBrowser's NoScript is breaking add-on system to TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions

I have 2 TBBs. Both are upgraded from old versions, time to time. 5.x -> 6.x -> 7.5

Both have 3 webext add-ons and these are working just fine.

When I downloaded fresh TBB, webext is not working at all. I think this issue is happning on 7.0/7.5 new users. Old users like me shouldn't have this issue.

And,

[System+Principal]

is NOT exist in my whitelist (Noscript options - Whitelist). Both TBBs don't have it, but able to use webexts.

I wonder why.

So, which title is correct?

Trac:
Summary: TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions to TorBrowser's NoScript is breaking add-on system

ma1 is Giorgio Maone. Keep repeating "NOT my problem", kinda funny.

https://forums.informaction.com/viewtopic.php?f=7&t=24484&start=15#p95673

This title is the correct one, or the most informative at least, please keep it as it is.

Fix: while merging 5.1.8.4, add "[System+Principal]" to Tor Browser's customized noscript.mandatory preference.

@cypherpunks from comment 20 - everybody knows who "ma1" is here. On the other hand your current contributions to this bug are neither funny nor useful. Thanks in advance for refraining from further noise.

Trac:
Summary: TorBrowser's NoScript is breaking add-on system to TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Any comment to #16 (closed)? Why I am able to use add-ons without adding [System+Principal] to whitelist?

noscript.mandatory default string ...(not changed by me)...

Trac:
Summary: TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded to NoScript is breaking TorBrowser OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Its value is

about: about:tbupdate about:tor chrome: resource: blob: mediasource: moz-extension: moz-safe-about: about:neterror about:certerror about:feeds about:tabcrashed about:cache

Not sure. Just say 'OR'.

Trac:
Summary: NoScript is breaking TorBrowser OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded to TorBrowser's NoScript is breaking add-on system OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Replying to ma1:

Is there any valid reason why [System+Principal] (which is the very first entry in NoScript 5's "stock" mandatory whitelist) is not included in the default Tor Browser whitelist?

It's not included yet because I am wary just copying NoScript's whitelist. It might be larger than we need or actually want. But, yes, if adding [System+Principal] solves this issue then we should add that one, too.

Trac:
Keywords: N/A deleted, TorBrowserTeam201801 added
Points: 100 to N/A
Status: needs_information to new

#23322 (moved) is a duplicate.

Trac:
Cc: N/A to legind
Summary: TorBrowser's NoScript is breaking add-on system OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded to TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Resolved #25084 (moved) as duplicate.

So you guys just rip off [system] from original NoScript, or Noscript ma1 is lying?

ma1 could make an exception for about:addons. Allowing [System+Principal] is too wide and this could allow NSA to attack tbb.

Trac:
Status: new to needs_information

Trac:
Keywords: TorBrowserTeam201801 deleted, TorBrowserTeam201802 added

bug_25000 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_25000&id=fefb117ad2769e792648c5c2d14292eb9d3475c5) in my public tor-browser-build repo has a fix for review. Note: you need the latest NoScript for testing this fix. NoScript 5.1.8.3 does not make it.

Trac:
Keywords: TorBrowserTeam201802 deleted, TorBrowserTeam201802R added
Status: needs_information to needs_review

Kathy and I confirmed that the proposed fix solves #23322 (moved).

Unfortunately, it does not fix #24943 (moved). In fact, that issue occurs in Tor Browser 8.x even if NoScript is completely disabled and even when all of our bundled add-ons are disabled. The problem does not occur in Firefox ESR 52.6.0. All of these things seem to point to a browser patch as the cause.

Replying to mcs:

Kathy and I confirmed that the proposed fix solves #23322 (moved).

Unfortunately, it does not fix #24943 (moved). In fact, that issue occurs in Tor Browser 8.x even if NoScript is completely disabled and even when all of our bundled add-ons are disabled. The problem does not occur in Firefox ESR 52.6.0. All of these things seem to point to a browser patch as the cause.

Thanks. I've reopened #24943 (moved) and merged the fix to tor-browser-build's master (commit 448a263c986e4b824c5b4b205268e97fed88eb0c).

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Trac:
Keywords: N/A deleted, tbb-backport added

With commit 7d97e9c21177836dd731b0249e7b091e7e99d2a9 on maint-7.5 in tor-browser-build we'll include this bug fix in 7.5.1.

Trac:
Keywords: tbb-backport deleted, tbb-backported added

closed

mentioned in issue #25084 (moved)

moved to tpo/applications/tor-browser#25000 (closed)