Opened 10 months ago

Closed 10 months ago

Last modified 10 months ago

#27307 closed defect (wontfix)

NoScript marks HTTP Onion as insecure

Reported by: cypherpunks3 Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Minor Keywords: noscript
Cc: gk, pospeselr, ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

  1. Open Tor Browser 8.0a9 or higher.
  1. Go to some HTTP Onion like http://yjuwkcxlgo7f7o6s.onion/ (archive.tp, see onion.tp)
  1. Click on the NoScript icon, the popup will show you yjuwkcxlgo7f7o6s.onion in red (contrary to some HTTPS Onion like https://3g2upl4pq6kufc4m.onion/ (DDG Onion))

(Not sure if there's something needed on the browser side so that's why I'm setting the component as TB though this is probably entirely a NoScript issue)

Child Tickets

Change History (5)

comment:1 Changed 10 months ago by cypherpunks3

PS: Just to be clear, I'm not calling for JS to be enabled for HTTP onions on Safer security setting in this ticket, only that ALL onions should be marked as secure in the NoScript UI.

comment:2 in reply to:  1 ; Changed 10 months ago by gk

Resolution: wontfix
Status: newclosed

Replying to cypherpunks3:

PS: Just to be clear, I'm not calling for JS to be enabled for HTTP onions on Safer security setting in this ticket, only that ALL onions should be marked as secure in the NoScript UI.

That's a good thing to bring up with the NoScript dev but it is nothing we'll fix in Tor Browser ourselves.

comment:3 Changed 10 months ago by traumschule

Keywords: noscript added

comment:4 in reply to:  2 ; Changed 10 months ago by ma1

Replying to gk:

Replying to cypherpunks3:

PS: Just to be clear, I'm not calling for JS to be enabled for HTTP onions on Safer security setting in this ticket, only that ALL onions should be marked as secure in the NoScript UI.

That's a good thing to bring up with the NoScript dev but it is nothing we'll fix in Tor Browser ourselves.

I think it might be a good idea, but only if I've got a sure-fire way to tell NoScript is running inside the Tor browser.

> console.log(await browser.runtime.getBrowserInfo())

Object { name: "Firefox", vendor: "Mozilla", version: "60.1.0", buildID: "20180204020101" }

Maybe you could send an "isTorBrowser: true" additional property within your updateSettings messages.

Any better suggestion?

comment:5 in reply to:  4 Changed 10 months ago by gk

Replying to ma1:

Replying to gk:

Replying to cypherpunks3:

PS: Just to be clear, I'm not calling for JS to be enabled for HTTP onions on Safer security setting in this ticket, only that ALL onions should be marked as secure in the NoScript UI.

That's a good thing to bring up with the NoScript dev but it is nothing we'll fix in Tor Browser ourselves.

I think it might be a good idea, but only if I've got a sure-fire way to tell NoScript is running inside the Tor browser.

> console.log(await browser.runtime.getBrowserInfo())

Object { name: "Firefox", vendor: "Mozilla", version: "60.1.0", buildID: "20180204020101" }

Maybe you could send an "isTorBrowser: true" additional property within your updateSettings messages.

Any better suggestion?

Not sure yet, but I filed #27313 to help with that.

Note: See TracTickets for help on using tickets.