<NOSCRIPT> elements' rendering is slightly delayed

A user on our blog noted (https://blog.torproject.org/comment/279207#comment-279207) that they get a warning about JavaScript being enabled despite have the security slider set to "Safest".

See: http://dreadditevelidot.onion/post/5c1fcd0539a3a5484eb3 for an example page and some discussion on it.

I tried a bit but so far failed to provide a minimal testcase outside of the .onion space.

added TorBrowserTeam201901 component::applications/tor browser noscript owner::tbb-team priority::medium resolution::wontfix severity::normal status::closed type::defect labels

FWIW the popup is just shown a very short time before NoScript seems to "kick in". However, it might be enough to execute some JS. Even if not, the popup indicating JavaScript can run (because the tag does not hide it) is quite confusing.

Replying to gk:

FWIW the popup is just shown a very short time before NoScript seems to "kick in". However, it might be enough to execute some JS. On any security slider level.

Trac:
Username: watt
Summary: NoScript does not seem to disable JavaScript on the highest security slider level properly to NoScript does not seem to disable JavaScript on loading properly

JS is not executed. This warning is visible without JS. After page load in <noscript> tag hide it:</p> <pre data-sourcepos="3:1-21:3"><code> &lt;div class=&quot;container&quot;&gt; &lt;div class=&quot;jsWarning&quot;&gt; &lt;input type=&quot;radio&quot; name=&quot;popout_btn&quot; value=&quot;open&quot; checked /&gt; &lt;input type=&quot;radio&quot; name=&quot;popout_btn&quot; value=&quot;close&quot; /&gt; &lt;div class=&quot;popout-bg&quot;&gt;&lt;/div&gt; &lt;div class=&quot;popout-box centered&quot;&gt; &lt;div class=&quot;heading&quot; style=&quot;color:red;&quot;&gt;Warning!&lt;/div&gt; &lt;p&gt;You have JavaScript enabled, you are putting yourself at risk!&lt;/p&gt; &lt;p&gt;Please disable it immediately!&lt;/p&gt; &lt;/div&gt; &lt;/div&gt; &lt;noscript&gt; &lt;style&gt;.jsWarning { display: none !important; }&lt;/style&gt; &lt;/noscript&gt; </code></pre> <p data-sourcepos="24:1-25:24"><strong data-sourcepos="24:1-24:8">Trac</strong>:<br data-sourcepos="24:12-24:12" /> <strong data-sourcepos="25:1-25:12">Username</strong>: cyperpunks</p>

cyperpunks? lol Check for false-positives: javascript.enabled to false.

Trac:
Username: watt

Disabling javascript within the config hides the message, so the noscript element isn't being acknowledged for a split second at least. This does not occur in versions prior to 8.0

Trac:
Username: noscriptbug

That's expected, even if slightly annoying, and as noted no JavaScript runs anyway.

NoScript 5.x, by using the available XPCOM APIs, could override the browser's maximum priority stylesheet which enforces a

noscript {
  display: none !important;
}

rule, hiding and disabling all the elements pre-emptively in every docshell where JavaScript is enabled. WebExtensions lack this overriding power, so now we must work-around with a hack: in order to render NOSCRIPT elements on pages where NoScript 10.x disables scripting (by using CSP, which doesn't trigger the brower's "JavaScript disabled" HTML parsing code path), we need to replace them with elements unaffected by the browser's enforced styling after they're inserted in the DOM, therefore the delay.

Trac:
Status: new to closed
Summary: NoScript does not seem to disable JavaScript on loading properly to elements' rendering is slightly delayed
Priority: Very High to Medium
Resolution: N/A to wontfix

closed

moved to tpo/applications/tor-browser#29044 (closed)