Opened 3 weeks ago

Last modified 2 days ago

#26520 needs_review defect

NoScript is broken with TOR_SKIP_LAUNCH=1 in ESR 60-based Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201807R
Cc: arthuredelstein, mcs, brade, rustybird@…, intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

rustybird reported that NoScript is broken when setting TOR_SKIP_LAUNCH=1 (see comment:13:ticket:26128):
"""
This seems to break on a fresh 8.0a9-build3 linux64 installation whenever TOR_SKIP_LAUNCH=1 is set (with system tor
running on the usual ports). JavaScript is effectively disabled and the browser console says:

[06-25 18:36:50] Torbutton NOTE: security-prefs.js initialization complete
Error: Could not establish connection. Receiving end does not exist. ExtensionCommon.jsm:456:12

Some sort of extension startup race?
"""

Child Tickets

Change History (8)

comment:1 Changed 3 weeks ago by rustybird

Just to clarify: NoScript itself doesn't appear to be broken - only the communication between Torbutton and NoScript.

Last edited 3 weeks ago by rustybird (previous) (diff)

comment:2 Changed 3 weeks ago by arthuredelstein

Thanks, rustybird! I can reproduce this. The cause of the reported error is that NoScript starts (or at least starts listening for messages) later than torbutton tries to send initial settings. Unfortunately I haven't figured out yet how to determine when NoScript is ready to receive messages.

Last edited 3 weeks ago by arthuredelstein (previous) (diff)

comment:3 Changed 3 weeks ago by intrigeri

Cc: intrigeri added

comment:4 Changed 2 weeks ago by gk

Keywords: TorBrowserTeam201807 added; TorBrowserTeam201806 removed

Moving first batch of tickets to July 2018

comment:5 Changed 3 days ago by arthuredelstein

Keywords: TorBrowserTeam201807R added; TorBrowserTeam201807 removed
Status: newneeds_review

comment:6 Changed 3 days ago by rustybird

Here's a patch for review:
https://github.com/arthuredelstein/torbutton/commit/26520

Now it seems to fire too late - on first site load (not including about:tor). If that first loaded site contains JavaScript, it will be disabled there. Tested on e.g. https://enable-javascript.com

I tried with a line log(5, "XXX sending"); added inside the sendNoScriptSettings function and noticed that both the first site load and moving the slider resulted in multiple messages to NoScript - not sure if that's a problem. (Slightly related, noscript-control.js has a guard against the initialized variable, but it's never set to true.)

log(e.message); -> log(5, e.message);

comment:7 in reply to:  6 Changed 2 days ago by arthuredelstein

Replying to rustybird:

Thanks for testing! Addressing your comments in rearranged order:

(Slightly related, noscript-control.js has a guard against the initialized variable, but it's never set to true.)

log(e.message); -> log(5, e.message);

Thanks for catching these two mistakes. Here's a revised patch that includes fixes for those:
https://github.com/arthuredelstein/torbutton/commit/26520+1

Now it seems to fire too late - on first site load (not including about:tor). If that first loaded site contains JavaScript, it will be disabled there. Tested on e.g. https://enable-javascript.com

I tried with a line log(5, "XXX sending"); added inside the sendNoScriptSettings function and noticed that both the first site load and moving the slider resulted in multiple messages to NoScript - not sure if that's a problem.

I wasn't able to reproduce these two issues. I even tried setting https://enable-javascript.com as the browser's homepage, but in every case the NoScript state seems to be set correctly. Do you still see these issues with the revised patch?

comment:8 Changed 2 days ago by rustybird

I wasn't able to reproduce these two issues.

The "multiple messages to NoScript" problem is gone with the revised patch. I still have the "first site load" problem on a freshly extracted and patched TB - sorry if it's tediously verbose:

  1. Run system tor on SocksPort 9150, ControlPort 9151
  2. Extract tor-browser-linux64-8.0a9_en-US.tar.xz to a new directory
  3. In the extensions directory, unzip -d torbutton@torproject.org/ torbutton@torproject.org.xpi and delete the .xpi
  4. In torbutton@torproject.org/, apply the revised patch with -p2
  5. Make a backup of the pristine patched tor-browser_en-US/ directory
  6. Run TOR_SKIP_LAUNCH=1 ./start-tor-browser.desktop
  7. Go to https://enable-javascript.com

It shows "JavaScript is disabled in your web browser" until I refresh the site, at which point it switches to "JavaScript is enabled". Same for other websites that depend on JavaScript, e.g. https://twitter.com/torproject (after restarting with a new copy of the backed up directory from step 5).

Note: See TracTickets for help on using tickets.