NoScript blocks <OBJECT> on Standard-Safer security setting in 8.0a9 contrary to behavior in 8.0a8

added GeorgKoppen201809 TorBrowserTeam201809R component::applications/tor browser noscript owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-8.0-issues tbb-8.0.1-can tbb-regression tbb-security-slider type::defect labels

Trac:
Keywords: N/A deleted, ff60-esr added

Trac:
Keywords: N/A deleted, tbb-security-slider added

Trac:
Keywords: N/A deleted, noscript added

Trac:
Keywords: ff60-esr deleted, tbb-regression, tbb-8.0-issues added

Marking for 8.0.1 can.

Trac:
Keywords: N/A deleted, tbb-8.0.1-can added

https://blog.torproject.org/comment/276736#comment-276736 is a report for this issue (bing translations are broken)

Trac:
Keywords: N/A deleted, GeorgKoppen201809 added

See bug_26624 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_26624&id=8418acef23573dcd63a4bc2e04fac22bda7a25ba) in my public Torbutton repo for a fix for review.

I think it is okay to allow OBJECT for http:// on the safer level as well as there is a special permission fetch which is used for object_subrequest and which is not enabled for http:// on the safer level. Thus, it should prevent loading scripts from http:// sources behind OBJECT elements.

Trac:
Cc: N/A to arthuredelstein
Keywords: N/A deleted, TorBrowserTeam201809R added
Status: new to needs_review

Looks good to me.

Trac:
Status: needs_review to merge_ready

Thanks. Cherry-picked to master (commit b9626557ddf9a3faf5fb88f99f479145d7789a7f).

Trac:
Resolution: N/A to fixed
Status: merge_ready to closed

closed

moved to tpo/applications/tor-browser#26624 (closed)