Opened 4 months ago

Closed 3 months ago

Last modified 7 weeks ago

#27175 closed defect (fixed)

NoScript plugin does not save per-site permissions/settings when tor browser closes

Reported by: tor-user-1234 Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript, tbb-regression, tbb-8.0-issues, TorBrowserTeam201809R, tbb-backport
Cc: tor8888, mfD1TuzasD32GvaI3mh6, One, Sock, Questor Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When I re-open the TOR Browser, any of the previously saved NoScript plugin per-site permissions are gone and I have to set all per-site permissions again.

It seems that the NoScript plugin settings are not saved when the TOR Browser closes.
Those settings need to be saved if the user does NOT choose "private browsing mode" nor "clear history" in the TOR Browser settings.

Child Tickets

Change History (16)

comment:1 Changed 4 months ago by tor-user-1234

This issue has been discovered on TOR Browser version 8.0a9 alpha channel.

comment:2 Changed 4 months ago by gk

Component: Core TorApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

Does that work with NoScript in an unmodified Firefox 60 ESR (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for some binaries to test)? Could you give us steps to reproduce as it seems you need to modify some Tor Browser settings to hit this bug? And I assume saving per-site permissions works in Tor Browser 7.5.6?

comment:3 Changed 3 months ago by gk

Cc: tor8888 added
Keywords: tbb-regression tbb-8.0-issues added
Summary: NoScript plugin does not save per-site permissions when tor browser closesNoScript plugin does not save per-site permissions/settings when tor browser closes

From #27469:

After unchecking the "script" box under DEFAULT in NoScript's General options, closing Tor Browser and then restarting it, the "script" box is checked, as it was when Tor Browser (version 8.0) was first started. In general, it appears options are not save across sessions.

And this seems to work in vanilla Firefox.

comment:4 Changed 3 months ago by gk

Cc: mfD1TuzasD32GvaI3mh6 added
Status: needs_informationnew

#27504 is a duplicate.

comment:5 Changed 3 months ago by gk

Priority: MediumHigh

comment:6 in reply to:  description Changed 3 months ago by reportUrl

Replying to tor-user-1234:

When I re-open the TOR Browser, any of the previously saved NoScript plugin per-site permissions are gone and I have to set all per-site permissions again.

Actually, it's good as New Identity doesn't clear them now :(

comment:7 Changed 3 months ago by arthuredelstein

It is possible to implement a modified security slider mechanism that would allow NoScript to retain per-site settings. But the question is whether it is actually desirable to do this, as saving per-site settings would (1) violate disk hygiene and (2) serve as a long-term fingerprinting vulnerability (at least, as long as NoScript is not first-party isolated).

comment:8 in reply to:  7 ; Changed 3 months ago by gk

Replying to arthuredelstein:

It is possible to implement a modified security slider mechanism that would allow NoScript to retain per-site settings. But the question is whether it is actually desirable to do this, as saving per-site settings would (1) violate disk hygiene and (2) serve as a long-term fingerprinting vulnerability (at least, as long as NoScript is not first-party isolated).

So, you are arguing that this is a feature of Tor Browser 8 and we should keep the status quo?

comment:9 Changed 3 months ago by donnm

I think it should be possible to save NoScript preferences across sessions. After upgrading from 7.x where this seemed to be the case it is irritating to have to disable scripts each time on sites where you do not want scripts running. I understand that this can be used for fingerprinting, so perhaps the slider idea is the best, and the option is opt-in.

Is there a temporary workaround? Other addons I have installed (yes I am aware of the risks) keep settings across sessions.

comment:10 in reply to:  8 Changed 3 months ago by arthuredelstein

Replying to gk:

Replying to arthuredelstein:

It is possible to implement a modified security slider mechanism that would allow NoScript to retain per-site settings. But the question is whether it is actually desirable to do this, as saving per-site settings would (1) violate disk hygiene and (2) serve as a long-term fingerprinting vulnerability (at least, as long as NoScript is not first-party isolated).

So, you are arguing that this is a feature of Tor Browser 8 and we should keep the status quo?

Well, feature is too strong a word because it happened more or less incidentally as a result of NoScript's new architecture. :) And given the current UI of NoScript, it's very confusing to users because it looks as though per-site settings in NoScript should persist.

But, yes, I am very hesitant to give users the means to persist their per-site settings, especially when the per-site settings are not first-party isolated. If a user decides to whitelist Google, then every website that embeds a Google ad can detect this. I am even worried about an opt-in solution because users often don't properly understand the downsides.

At the same time, I also sympathize with donnm's comment:9 that it is inconvenient to have to redo per-site settings each time Tor Browser is restarted.

comment:11 Changed 3 months ago by cypherpunks_reply

Only some comments:

Replying to arthuredelstein:

But, yes, I am very hesitant to give users the means to persist their per-site settings, especially when the per-site settings are not first-party isolated.

ABE in NoScript 5 was able to implement first-party-keyed policy.

If a user decides to whitelist Google, then every website that embeds a Google ad can detect this. I am even worried about an opt-in solution because users often don't properly understand the downsides.

It also had this "Block scripting in whitelisted subdocuments of non-whitelisted pages" setting, which is not first-party isolation/keying but related (and I think similar to the kind of problem decomposition used by uMatrix). I wonder how it's handled now.

At the same time, I also sympathize with donnm's comment:9 that it is inconvenient to have to redo per-site settings each time Tor Browser is restarted.

I use the highest level in torbutton slider and I don't care about persisting the per-site policy, I always keep the whitelist empty and only very seldom use temporary permissions which are revoked once done with the page Certainly "new identity" must also at least clear all temporary permissions. However, there were at least in NoScript 5 many other configuration knobs that applied globally and which I used to tighten with respect to vanilla TOr Browser (yes, I know that changed my profile). Maybe there should be a way to persist at least that kind of settings.

comment:12 Changed 3 months ago by arthuredelstein

Keywords: TorBrowserTeam201809R added
Status: newneeds_review

Below is a patch for review. It introduces a pref, "extensions.torbutton.noscript_persist" that is disabled by default. When enabled, it allows per-site settings to be persisted in NoScript. Note that, even with the pref enabled, if the user changes the security slider setting, all custom per-site settings are lost.

However, enabling this pref is dangerous in my opinion and should only be used with caution.

https://github.com/arthuredelstein/torbutton/commit/27175

comment:13 Changed 3 months ago by gk

Keywords: tbb-backport added
Resolution: fixed
Status: needs_reviewclosed

Okay, this works for me and the code looks good to me as well. I had to resolve some conflicts due to #27760 landing earlier but that should be fine.

Commit 461b828c70bb85501db99fdf077af71b69ef7e0a on master has the fix.

comment:14 Changed 3 months ago by boklm

#27823 is a duplicate.

comment:15 Changed 2 months ago by gk

Cc: One Sock added

comment:16 Changed 7 weeks ago by gk

Cc: Questor added

Resolved #28171 as a duplicate.

Note: See TracTickets for help on using tickets.