Opened 14 months ago

Last modified 13 months ago

#27651 needs_information defect

Behaviour of NoScript varies in "privileged" sites

Reported by: cypherpunks3 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It looks like you patched the "privileged" Mozilla sites in #25836 and #26114. However, NoScript 10 has a hardcoded internal lists of domains which it considers "privileged". Try grepping for isRestricted.

Do you ship a custom NoScript in TB 8?

Child Tickets

Change History (3)

comment:1 Changed 14 months ago by gk

Status: newneeds_information

No, we don't ship a custom NoScript. In which way does NoScript's behavior vary for restricted (not privileged) domains? What is the bug here?

comment:2 in reply to:  1 ; Changed 13 months ago by cypherpunks3

Replying to gk:

No, we don't ship a custom NoScript. In which way does NoScript's behavior vary for restricted (not privileged) domains? What is the bug here?

Currently there seem to be 2 places where this affects NS behaviour. The most interesting is in popup.js:

      await include("/lib/restricted.js");
      let isRestricted = isRestrictedURL(tab.url);
      if (!isHttp || isRestricted) {
        showMessage("warning", _("privilegedPage"));
        let tempTrust = document.getElementById("temp-trust-page");
        tempTrust.disabled = true;
        return;
      }

restricted (not privileged) domains

Huh? Perhaps you meant "not privileged from the point of view of TB", but surely you can see the point here: even if TB doesn't consider them privileged, NS is still behaving as if running on Firefox, and doesn't ask the browser it simply looks up in a list of hardcoded domains. So maybe now the variance is not very troubling, but what about tomorrow?

Also calling the domain "restricted" instead of privileged is exactly backwards, is not the site that is restricted, but NoScript!

comment:3 in reply to:  2 Changed 13 months ago by gk

Replying to cypherpunks3:

Replying to gk:

No, we don't ship a custom NoScript. In which way does NoScript's behavior vary for restricted (not privileged) domains? What is the bug here?

Currently there seem to be 2 places where this affects NS behaviour. The most interesting is in popup.js:

      await include("/lib/restricted.js");
      let isRestricted = isRestrictedURL(tab.url);
      if (!isHttp || isRestricted) {
        showMessage("warning", _("privilegedPage"));
        let tempTrust = document.getElementById("temp-trust-page");
        tempTrust.disabled = true;
        return;
      }

Yes, but what is the bug here?

Note: See TracTickets for help on using tickets.