Help NoScript marking HTTP .onions as secure

#27307 (moved) is a report that NoScript shows HTTP .onions in red (compared to HTTPS ones in green). Giorgio would be happy to change that. We should think about a good way signaling NoScript that it is running in Tor Browser as it could then treat .onion domains differently.

Giorgio's suggestion was:

>
> > console.log(await browser.runtime.getBrowserInfo())
> 
> Object { name: "Firefox", vendor: "Mozilla", version: "60.1.0", buildID: "20180204020101" }
>
> 
> Maybe you could send an "isTorBrowser: true" additional property within your updateSettings messages.

There might be other ones we could consider

added component::applications/tor browser noscript owner::tbb-team parent::21728 priority::medium resolution::duplicate severity::normal sponsor::27 status::closed type::enhancement labels

Trac:
Cc: ma1 to ma1, micahlee, pospeselr

Trac:
Sponsor: N/A to Sponsor27

Trac:
Parent: N/A to #21728 (moved)

ma1: Any stoppers to make progress on that ticket on your side? It seems we have everything in place on our side to let you treat Tor Browser users differently and treat .onion over http as secure.

Trac:
Keywords: N/A deleted, noscript added

Replying to gk:

ma1: Any stoppers to make progress on that ticket on your side? It seems we have everything in place on our side to let you treat Tor Browser users differently and treat .onion over http as secure.

None, indeed it should be fixed in NoScript 11.0.4rc11 :)

Blech, commented on the wrong ticket:

Thanks, that's better. There is still the scary http: in red which should not be relevant for .onions either. Additionally, the expectation here is that onions over http:// on medium level security can actually run JavaScript etc. because http:// is secure for .onion domains They should get treated as loaded over https://. Could you address those two items for Tor Browser users? (I am fine opening a new bug for the latter if you like)

A general note, while testing rc11:

1. After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2. After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

Replying to gk:

Thanks, that's better. There is still the scary http: in red which should not be relevant for .onions either.

If you mean the lonesome "http:" entry which is displayed on any http://acme.com page at your "Safer" security level, don't you think I should just hide it for any website (in the popup at least, if not NoScript's Options page)? After all, rather than downgrading the whole security level from the popup menu by setting "http:" to DEFAULT or TRUSTED, we want user to interact with the security slider, don't we?

Additionally, the expectation here is that onions over http:// on medium level security can actually run JavaScript etc. because http:// is secure for .onion domains They should get treated as loaded over https://. Could you address those two items for Tor Browser users? (I am fine opening a new bug for the latter if you like)

Yes, please. On ticket #27307 (moved) someone stated that was not the goal.

1. After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2. After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

The two are likely related. Did you have many tabs opened when installing?

Replying to ma1:

Replying to gk:

Thanks, that's better. There is still the scary http: in red which should not be relevant for .onions either.

If you mean the lonesome "http:" entry which is displayed on any http://acme.com page at your "Safer" security level, don't you think I should just hide it for any website (in the popup at least, if not NoScript's Options page)? After all, rather than downgrading the whole security level from the popup menu by setting "http:" to DEFAULT or TRUSTED, we want user to interact with the security slider, don't we?

Yeah, I meant that and hiding that lonesome "http:" sounds good.

Additionally, the expectation here is that onions over http:// on medium level security can actually run JavaScript etc. because http:// is secure for .onion domains They should get treated as loaded over https://. Could you address those two items for Tor Browser users? (I am fine opening a new bug for the latter if you like)

Yes, please. On ticket #27307 (moved) someone stated that was not the goal.

Actually, we already have a ticket for that: #21004 (moved).

1. After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2. After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

The two are likely related. Did you have many tabs opened when installing?

I did not. Let me retest and get back to you with steps to reproduce.

Replying to gk:

Replying to ma1:

1. After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2. After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

The two are likely related. Did you have many tabs opened when installing?

I did not. Let me retest and get back to you with steps to reproduce.

Okay, it seems I can only repro 1) reliably. Here is what I did

1. Take a Tor Browser 9.0a7 (https://www.torproject.org/download/alpha/) (I took a de one).
2. Open this ticket
3. Open in a new tab the link to rc11
4. Install rc11 into Tor Browser
5. Add the NoScript button the toolbar
6. The bug as described is visible: the NoScript menu contents are shown only every other click on the icon (otherwise the menu is empty). A restart seems to fix that, though.

#27307 (moved) has a patch, so, let's use that one instead.

Trac:
Resolution: N/A to duplicate
Status: new to closed

closed

mentioned in issue #27610 (moved)

mentioned in issue #29021 (moved)

moved to tpo/applications/tor-browser#27313 (closed)