Opened 10 months ago

Closed 9 months ago

Last modified 9 months ago

#25000 closed defect (fixed)

TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201802R, tbb-backported
Cc: legind Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

TicketStatusOwnerSummaryComponent
#25018closedtbb-teamBlock downloading of add-ons from mozilla or any websites.Applications/Tor Browser

Attachments (1)

d92cbd16af8252a935558646f43cd5fe.jpg (46.1 KB) - added by cypherpunks 10 months ago.
win7 test

Download all attachments as: .zip

Change History (34)

comment:1 Changed 10 months ago by cypherpunks

I've already asked for help at Tor, but they don't care so I am asking here.

Tor Browser is including NoScript, your addon, and it's breaking other add-on's functionality.

To reproduce:
1. Download latest Tor Browser from the Tor project(7.5).
2. Go to https://trac.torproject.org/projects/tor/ticket/24943 and download a ZIP file in description.
3. Extract the zip.
4. In Tor browser, open about:addon, Gear, Debug add-on.
5. "Load temporary add-on", select "local/manifest.json" to load this test add-on.
6. Try to save something. When you click Save, it clear everything.

The problem will go away if you disable NoScript in Tor Browser.
Can you do something about this? Other addons on AMO which use browser.storage.local is suffering by this.

comment:2 Changed 10 months ago by gk

Summary: TorBrowser's NoScript is breaking add-on systemTorBrowser's breaking add-ons using browser.storage.local

FWIW this does not seem to be a NoScript problem. I get the same behavior when I removed NoScript from the browser. Just used a vanilla Tor Browser to test that.

comment:3 Changed 10 months ago by gk

Priority: HighMedium

comment:4 Changed 10 months ago by cypherpunks

Hi gk, did you tried comment:1's test add-on?

When I tried it on my fresh VM, it didn't work.
After I disabled NoScript from about:addons, the test add-on worked correctly, saving my memo.

comment:5 Changed 10 months ago by cypherpunks

1 Fresh Windows 7 Virtual Machine
1 Tor Browser 7.5 downloaded from Tor project
1 Add-on zip from comment:1

I installed TB7.5 on Win7.
Then I opened TB and went to about:add-ons, debug add-on, and load "local/manifest.json".
Open about:add-ons and clicked the test add-on.
Typed "tor" to the textarea and clicked "Save" button ---> everything cleared instantly

Went to about:add-ons and clicked NoScript's Disable button.
Clicked the "Options" button of the test add-on.
Typed "tor" to the textarea and clicked "Save" button ---> Saved

gk, are you using Linux? This might be a difference.

comment:7 Changed 10 months ago by cypherpunks

@gk

#24783 is about browser.storage.'sync'.
The "browser.storage.local" should work on Firefox ESR 52 series including Tor Browser.

comment:8 Changed 10 months ago by gk

Yes, I tested on Linux. I resolved #24943 as a duplicate of this one.

Changed 10 months ago by cypherpunks

win7 test

comment:9 Changed 10 months ago by cypherpunks

https://trac.torproject.org/projects/tor/raw-attachment/ticket/25000/d92cbd16af8252a935558646f43cd5fe.jpg

Attached image result(tested on VM)
Also tested on friend's live PC with TBB 7.5. Same result.

comment:10 Changed 10 months ago by cypherpunks

Points: 100

comment:11 Changed 10 months ago by cypherpunks

Priority: MediumHigh
Summary: TorBrowser's breaking add-ons using browser.storage.localTorBrowser's NoScript is breaking add-on system

I have 1 nonofficial addon in my TBB and 7.5 killed it. Windows 10.
The add-on's settings are purged. I'm asking add-on's developer about this but it looks like this is the cause of the problem.

comment:12 Changed 10 months ago by cypherpunks

Status: newneeds_information

Need other test result from MacOS and Linux users.

comment:13 Changed 10 months ago by sundayworker

NoScript version 5.1.8.3 have a problem. I had to revert my browser...

comment:14 Changed 10 months ago by ma1

Is there any valid reason why [System+Principal] (which is the very first entry in NoScript 5's "stock" mandatory whitelist) is not included in the default Tor Browser whitelist?

Anyway, this absence is the culprit (and in facts, this problem happens only in the Tor Browser which deploys its "special" shortlisted mandatory whitelist).

The Tor Browser enforces permissions cascading, and in the Add-ons Options window the top frame is about:addons, whose principal's origin is [System+Principal]. Since this origin is omitted from Tor Browser's version of NoScript mandatory whitelist, the top site by default is considered forbidden, cascading down script blocking to the WebExtension's subframe.

Temporary work-around for users having this problem: manually add [System+Principal] to your whitelist.

comment:15 Changed 10 months ago by ma1

Summary: TorBrowser's NoScript is breaking add-on systemTorBrowser's modifications to NoScript's mandatory whitelist break some webextensions

comment:16 Changed 10 months ago by cypherpunks

I have 2 TBBs. Both are upgraded from old versions, time to time.
5.x -> 6.x -> 7.5

Both have 3 webext add-ons and these are working just fine.

When I downloaded fresh TBB, webext is not working at all.
I think this issue is happning on 7.0/7.5 new users.
Old users like me shouldn't have this issue.

And,

[System+Principal]

is NOT exist in my whitelist (Noscript options - Whitelist).
Both TBBs don't have it, but able to use webexts.

I wonder why.

Last edited 10 months ago by cypherpunks (previous) (diff)

comment:17 Changed 10 months ago by cypherpunks

Summary: TorBrowser's modifications to NoScript's mandatory whitelist break some webextensionsTorBrowser's NoScript is breaking add-on system

So, which title is correct?

comment:18 Changed 10 months ago by cypherpunks

ma1 is Giorgio Maone. Keep repeating "NOT my problem", kinda funny.

https://forums.informaction.com/viewtopic.php?f=7&t=24484&start=15#p95673

comment:19 Changed 10 months ago by ma1

Summary: TorBrowser's NoScript is breaking add-on systemTorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

This title is the correct one, or the most informative at least, please keep it as it is.

Fix: while merging 5.1.8.4, add "[System+Principal]" to Tor Browser's customized noscript.mandatory preference.

@cypherpunks from comment 20 - everybody knows who "ma1" is here. On the other hand your current contributions to this bug are neither funny nor useful. Thanks in advance for refraining from further noise.

comment:20 Changed 10 months ago by cypherpunks

Summary: TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascadedNoScript is breaking TorBrowser OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Any comment to #16? Why I am able to use add-ons without adding [System+Principal] to whitelist?

noscript.mandatory default string ...(not changed by me)...

comment:21 Changed 10 months ago by cypherpunks

Its value is

about: about:tbupdate about:tor chrome: resource: blob: mediasource: moz-extension: moz-safe-about: about:neterror about:certerror about:feeds about:tabcrashed about:cache

comment:22 Changed 10 months ago by cypherpunks

Summary: NoScript is breaking TorBrowser OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascadedTorBrowser's NoScript is breaking add-on system OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

Not sure. Just say 'OR'.

comment:23 in reply to:  14 Changed 10 months ago by gk

Keywords: TorBrowserTeam201801 added
Points: 100
Status: needs_informationnew

Replying to ma1:

Is there any valid reason why [System+Principal] (which is the very first entry in NoScript 5's "stock" mandatory whitelist) is not included in the default Tor Browser whitelist?

It's not included yet because I am wary just copying NoScript's whitelist. It might be larger than we need or actually want. But, yes, if adding [System+Principal] solves this issue then we should add that one, too.

comment:24 Changed 10 months ago by gk

Cc: legind added
Summary: TorBrowser's NoScript is breaking add-on system OR TorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascadedTorBrowser's modifications to NoScript's mandatory whitelist break some webextensions when permissions are cascaded

#23322 is a duplicate.

comment:25 Changed 10 months ago by gk

Resolved #25084 as duplicate.

comment:26 Changed 10 months ago by cypherpunks

So you guys just rip off [system] from original NoScript, or Noscript ma1 is lying?

comment:27 Changed 10 months ago by cypherpunks

Status: newneeds_information

ma1 could make an exception for about:addons. Allowing [System+Principal] is too wide and this could allow NSA to attack tbb.

comment:28 Changed 10 months ago by cypherpunks

Keywords: TorBrowserTeam201802 added; TorBrowserTeam201801 removed

comment:29 Changed 9 months ago by gk

Keywords: TorBrowserTeam201802R added; TorBrowserTeam201802 removed
Status: needs_informationneeds_review

bug_25000 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_25000&id=fefb117ad2769e792648c5c2d14292eb9d3475c5) in my public tor-browser-build repo has a fix for review. Note: you need the latest NoScript for testing this fix. NoScript 5.1.8.3 does not make it.

comment:30 Changed 9 months ago by mcs

Kathy and I confirmed that the proposed fix solves #23322.

Unfortunately, it does not fix #24943. In fact, that issue occurs in Tor Browser 8.x even if NoScript is completely disabled and even when all of our bundled add-ons are disabled. The problem does not occur in Firefox ESR 52.6.0. All of these things seem to point to a browser patch as the cause.

comment:31 in reply to:  30 Changed 9 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to mcs:

Kathy and I confirmed that the proposed fix solves #23322.

Unfortunately, it does not fix #24943. In fact, that issue occurs in Tor Browser 8.x even if NoScript is completely disabled and even when all of our bundled add-ons are disabled. The problem does not occur in Firefox ESR 52.6.0. All of these things seem to point to a browser patch as the cause.

Thanks. I've reopened #24943 and merged the fix to tor-browser-build's master (commit 448a263c986e4b824c5b4b205268e97fed88eb0c).

comment:32 Changed 9 months ago by gk

Keywords: tbb-backport added

comment:33 Changed 9 months ago by gk

Keywords: tbb-backported added; tbb-backport removed

With commit 7d97e9c21177836dd731b0249e7b091e7e99d2a9 on maint-7.5 in tor-browser-build we'll include this bug fix in 7.5.1.

Last edited 9 months ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.