Opened 2 years ago

Closed 21 months ago

#26624 closed defect (fixed)

NoScript blocks <OBJECT> on Standard-Safer security setting in 8.0a9 contrary to behavior in 8.0a8

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security-slider, noscript, tbb-8.0-issues, tbb-regression, tbb-8.0.1-can, GeorgKoppen201809, TorBrowserTeam201809R
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Child Tickets

Change History (9)

comment:1 Changed 2 years ago by cypherpunks

Keywords: ff60-esr added

comment:2 Changed 2 years ago by gk

Keywords: tbb-security-slider added

comment:3 Changed 22 months ago by traumschule

Keywords: noscript added

comment:4 Changed 21 months ago by gk

Keywords: tbb-8.0-issues tbb-regression added; ff60-esr removed

comment:5 Changed 21 months ago by gk

Keywords: tbb-8.0.1-can added

Marking for 8.0.1 can.

comment:6 Changed 21 months ago by gk

Keywords: GeorgKoppen201809 added is a report for this issue (bing translations are broken)

comment:7 Changed 21 months ago by gk

Cc: arthuredelstein added
Keywords: TorBrowserTeam201809R added
Status: newneeds_review

See bug_26624 ( in my public Torbutton repo for a fix for review.

I think it is okay to allow OBJECT for http:// on the safer level as well as there is a special permission fetch which is used for object_subrequest and which is not enabled for http:// on the safer level. Thus, it should prevent loading scripts from http:// sources behind OBJECT elements.

comment:8 Changed 21 months ago by arthuredelstein

Status: needs_reviewmerge_ready

Looks good to me.

comment:9 Changed 21 months ago by gk

Resolution: fixed
Status: merge_readyclosed

Thanks. Cherry-picked to master (commit b9626557ddf9a3faf5fb88f99f479145d7789a7f).

Note: See TracTickets for help on using tickets.