Opened 18 months ago

Last modified 13 months ago

#26019 needs_information defect

Allow javascript.options.ion, javascript.options.baselinejit, and javascript.options.native_regexp at the highest security level

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

At the highest security level JavaScript for webpages is disabled, so these features cannot be used for fingerprintina and expluatation. But a large part of the browser is written in JS itself and disabling this features slows the web browser down. I suggest to enable them for the highest security mode as a temporary solution and use 2 different settings or store there numbers as bit flags to control these features for frowser GUI and webpages separately, if it is possible.

Child Tickets

Change History (4)

comment:1 Changed 18 months ago by gk

Status: newneeds_information

Differentiating between content and privileged browser with respect to JIT preferences is not possible anymore (see: https://bugzilla.mozilla.org/show_bug.cgi?id=939562 where the content related prefs got removed).

I think we won't allow JIT as you suggested it in this ticket either because the risk is that users by simply allowing scripts on certain domains are having the JIT related things enabled, too, which is not intended and surprising behavior. Additionally, this would leave the "Safer" setting in a weird situation as JIT is disabled there, too, while JavaScript is being allowed.

That said: In which way is the web browser slowed down? (Note: not every JS-code can be JITed) Could you give some performance numbers from tests you make?

Last edited 13 months ago by gk (previous) (diff)

comment:2 Changed 17 months ago by cypherpunks

It would also make NoScript bypasses more dangerous.

comment:3 Changed 13 months ago by cypherpunks_reply

On my machine (quad core, 3 Ghz), the lack of Javascript optimizations increases extension initialization time greatly. Normally this blocks the browser window from appearing during startup, but you can easily see it happening by disabling and enabling an extension in about:addons.

With the security slider set to standard, uBlock Origin with most of the default filters enabled initializes after about 5 seconds of one cpu core pegged at 100%.

With the security slider set to safer, it takes 25 seconds. During this time the browser UI is unresponsive.

comment:4 in reply to:  3 Changed 13 months ago by gk

Replying to cypherpunks_reply:

On my machine (quad core, 3 Ghz), the lack of Javascript optimizations increases extension initialization time greatly. Normally this blocks the browser window from appearing during startup, but you can easily see it happening by disabling and enabling an extension in about:addons.

With the security slider set to standard, uBlock Origin with most of the default filters enabled initializes after about 5 seconds of one cpu core pegged at 100%.

With the security slider set to safer, it takes 25 seconds. During this time the browser UI is unresponsive.

That's actually #23719.

Note: See TracTickets for help on using tickets.