Opened 9 months ago

Closed 9 months ago

#29044 closed defect (wontfix)

<NOSCRIPT> elements' rendering is slightly delayed

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201901, noscript
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A user on our blog noted (https://blog.torproject.org/comment/279207#comment-279207) that they get a warning about JavaScript being enabled despite have the security slider set to "Safest".

See: http://dreadditevelidot.onion/post/5c1fcd0539a3a5484eb3 for an example page and some discussion on it.

I tried a bit but so far failed to provide a minimal testcase outside of the .onion space.

Child Tickets

Change History (6)

comment:1 Changed 9 months ago by gk

FWIW the popup is just shown a very short time before NoScript seems to "kick in". However, it might be enough to execute some JS. Even if not, the popup indicating JavaScript can run (because the <noscript> tag does not hide it) is quite confusing.

comment:2 in reply to:  1 Changed 9 months ago by watt

Summary: NoScript does not seem to disable JavaScript on the highest security slider level properlyNoScript does not seem to disable JavaScript on loading properly

Replying to gk:

FWIW the popup is just shown a very short time before NoScript seems to "kick in". However, it might be enough to execute some JS.

On any security slider level.

comment:3 Changed 9 months ago by cyperpunks

JS is not executed. This warning is visible without JS. After page load <style> in <noscript> tag hide it:

	<div class="container">
			<div class="jsWarning">
	<input type="radio" name="popout_btn" value="open" checked />
	<input type="radio" name="popout_btn" value="close" />
	
	<div class="popout-bg"></div>
	
	<div class="popout-box centered">		
		<div class="heading" style="color:red;">Warning!</div>
		<p>You have JavaScript enabled, you are putting yourself at risk!</p>
		<p>Please disable it immediately!</p>
	</div>
</div>

<noscript>
<style>.jsWarning { display: none !important; }</style>
</noscript>

comment:4 Changed 9 months ago by watt

cyperpunks? lol
Check for false-positives: javascript.enabled to false.

comment:5 Changed 9 months ago by noscriptbug

Disabling javascript within the config hides the message, so the noscript element isn't being acknowledged for a split second at least. This does not occur in versions prior to 8.0

comment:6 Changed 9 months ago by ma1

Priority: Very HighMedium
Resolution: wontfix
Status: newclosed
Summary: NoScript does not seem to disable JavaScript on loading properly<NOSCRIPT> elements' rendering is slightly delayed

That's expected, even if slightly annoying, and as noted no JavaScript runs anyway.

NoScript 5.x, by using the available XPCOM APIs, could override the browser's maximum priority stylesheet which enforces a

noscript {
  display: none !important;
}

rule, hiding and disabling all the <NOSCRIPT> elements pre-emptively in every docshell where JavaScript is enabled.
WebExtensions lack this overriding power, so now we must work-around with a hack: in order to render NOSCRIPT elements on pages where NoScript 10.x disables scripting (by using CSP, which doesn't trigger the brower's "JavaScript disabled" HTML parsing code path), we need to replace them with <SPAN> elements unaffected by the browser's enforced styling after they're inserted in the DOM, therefore the delay.

Note: See TracTickets for help on using tickets.