Opened 14 months ago

Last modified 12 days ago

#27313 new enhancement

Help NoScript marking HTTP .onions as secure

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript
Cc: ma1, micahlee, pospeselr Actual Points:
Parent ID: #21728 Points:
Reviewer: Sponsor: Sponsor27

Description

#27307 is a report that NoScript shows HTTP .onions in red (compared to HTTPS ones in green). Giorgio would be happy to change that. We should think about a good way signaling NoScript that it is running in Tor Browser as it could then treat .onion domains differently.

Giorgio's suggestion was:

>
> > console.log(await browser.runtime.getBrowserInfo())
> 
> Object { name: "Firefox", vendor: "Mozilla", version: "60.1.0", buildID: "20180204020101" }
>
> 
> Maybe you could send an "isTorBrowser: true" additional property within your updateSettings messages.

There might be other ones we could consider

Child Tickets

TicketTypeStatusOwnerSummary
#29021taskclosedtbb-teamProvide a means to inform NoScript about being run in a Tor Browser context

Change History (9)

comment:1 Changed 8 months ago by gk

Cc: micahlee pospeselr added

comment:2 Changed 7 months ago by gk

Sponsor: Sponsor27

comment:3 Changed 7 months ago by gk

Parent ID: #21728

comment:4 Changed 12 days ago by gk

Keywords: noscript added

ma1: Any stoppers to make progress on that ticket on your side? It seems we have everything in place on our side to let you treat Tor Browser users differently and treat .onion over http as secure.

comment:5 in reply to:  4 Changed 12 days ago by ma1

Replying to gk:

ma1: Any stoppers to make progress on that ticket on your side? It seems we have everything in place on our side to let you treat Tor Browser users differently and treat .onion over http as secure.

None, indeed it should be fixed in NoScript 11.0.4rc11 :)

Last edited 12 days ago by ma1 (previous) (diff)

comment:6 Changed 12 days ago by gk

Blech, commented on the wrong ticket:

Thanks, that's better. There is still the scary http: in red which should not be relevant for .onions either. Additionally, the expectation here is that onions over http:// on medium level security can actually run JavaScript etc. because http:// is secure for .onion domains They should get treated as loaded over https://. Could you address those two items for Tor Browser users? (I am fine opening a new bug for the latter if you like)

A general note, while testing rc11:

1) After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2) After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

comment:7 in reply to:  6 ; Changed 12 days ago by ma1

Replying to gk:

Thanks, that's better. There is still the scary http: in red which should not be relevant for .onions either.

If you mean the lonesome "http:" entry which is displayed on any http://acme.com page at your "Safer" security level, don't you think I should just hide it for any website (in the popup at least, if not NoScript's Options page)? After all, rather than downgrading the whole security level from the popup menu by setting "http:" to DEFAULT or TRUSTED, we want user to interact with the security slider, don't we?

Additionally, the expectation here is that onions over http:// on medium level security can actually run JavaScript etc. because http:// is secure for .onion domains They should get treated as loaded over https://. Could you address those two items for Tor Browser users? (I am fine opening a new bug for the latter if you like)

Yes, please. On ticket #27307 someone stated that was not the goal.

1) After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2) After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

The two are likely related. Did you have many tabs opened when installing?

comment:8 in reply to:  7 ; Changed 12 days ago by gk

Replying to ma1:

Replying to gk:

Thanks, that's better. There is still the scary http: in red which should not be relevant for .onions either.

If you mean the lonesome "http:" entry which is displayed on any http://acme.com page at your "Safer" security level, don't you think I should just hide it for any website (in the popup at least, if not NoScript's Options page)? After all, rather than downgrading the whole security level from the popup menu by setting "http:" to DEFAULT or TRUSTED, we want user to interact with the security slider, don't we?

Yeah, I meant that and hiding that lonesome "http:" sounds good.

Additionally, the expectation here is that onions over http:// on medium level security can actually run JavaScript etc. because http:// is secure for .onion domains They should get treated as loaded over https://. Could you address those two items for Tor Browser users? (I am fine opening a new bug for the latter if you like)

Yes, please. On ticket #27307 someone stated that was not the goal.

Actually, we already have a ticket for that: #21004.

1) After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2) After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

The two are likely related. Did you have many tabs opened when installing?

I did not. Let me retest and get back to you with steps to reproduce.

comment:9 in reply to:  8 Changed 12 days ago by gk

Replying to gk:

Replying to ma1:

1) After installing it in the browser I needed to click twice on the NoScript icon until the page related info showed up. On first click only a small empty menu was visible.
2) After restarting the browser it takes like 5-10 second until the NoScript icon gets clickable at all and CPU of my laptop gets eaten meanwhile. There is something computationally heavy going on in the background here...

The two are likely related. Did you have many tabs opened when installing?

I did not. Let me retest and get back to you with steps to reproduce.

Okay, it seems I can only repro 1) reliably. Here is what I did
1) Take a Tor Browser 9.0a7 (https://www.torproject.org/download/alpha/) (I took a de one).
2) Open this ticket
3) Open in a new tab the link to rc11
4) Install rc11 into Tor Browser
5) Add the NoScript button the toolbar
6) The bug as described is visible: the NoScript menu contents are shown only every other click on the icon (otherwise the menu is empty). A restart seems to fix that, though.

Note: See TracTickets for help on using tickets.