Opened 21 months ago

Last modified 6 weeks ago

#27732 new defect

New Identity does not reset NoScript's Temporarily Trusted settings

Reported by: Yael Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-newnym, tbb-8.0-issues, tbb-regression, tbb-8.0.1-can, noscript
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Steps to reproduce:

  1. Set any random website to Temporarily Trusted
  2. Hit New Identity
  3. Go back to the website later on, the temporarily permission to execute JavaScript is still preserved.

This can be solved by closing and re-opening Tor Browser, however, from my understanding New Identity is supposed to handle that?

Child Tickets

Change History (6)

comment:1 Changed 21 months ago by Yael

Platform in use is Linux.

Last edited 21 months ago by Yael (previous) (diff)

comment:2 Changed 21 months ago by gk

Component: ApplicationsApplications/Tor Browser
Keywords: tbb-newnym tbb-8.0-issue tbb-regression tbb-8.0.1-can noscript added
Owner: set to tbb-team

In #9486 we started to use NoScript functionality to get rid of temporary permissions during New Identity. We need to adapt that mechanism to cope with the new NoScript reality.

(And we might want to clean up torbutton.js while we are at it: there is no need for code related to the XPCOM version of NoScript anymore)

comment:3 Changed 18 months ago by reportUrl

Keywords: tbb-8.0-issues added; tbb-8.0-issue removed
Priority: MediumHigh
Severity: NormalMajor

comment:4 Changed 12 months ago by gk

#30738 is a duplicate.

comment:5 Changed 7 months ago by cypherpunks

Bug is still in tbb, now 9.0.

comment:6 Changed 6 weeks ago by cypherpunks

Bug still in Tor Browser 9.0.9.

I used New Identity and afterwords scripts were running when I did not want them to. I could reproduce it every time.

I would never have used New Identity instead of restarting the browser if I new about this bug. This bug is almost 2 years old! If it will not get fixed New Identity should be removed. New Identity is currently giving a false sense of security.

The fact that we can get bugs like this seriously calls into question New Identity's implementation. Manually trying to clear state data instead of just restarting Firefox. Is it just to save a few seconds?

https://2019.www.torproject.org/projects/torbrowser/design/#new-identity

Note: See TracTickets for help on using tickets.