Opened 19 months ago

Closed 5 months ago

#29957 closed defect (fixed)

clicking on "click to play" media leaks URLs via NoScript on-disk preferences

Reported by: catalyst Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak, tbb-newnym, noscript, TorBrowserTeam202006
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A user in #tor reports that clicking on "click to play" media leaks sensitive information by causing NoScript to save the URL to disk. It's not clear whether this is an instance of #29646. It also seems that these URLs persist for search bar completion briefly beyond "New Identity", but not beyond a browser restart.

partial IRC logs below:

29T22:27 <XXXXX> i'd like to report a bug in noscript in tor browser
29T22:28 <XXXXX> when media is "click to play" and i click it, the browser 
                     SAVES IT in HISTORY
29T22:28 <XXXXX> even though it is tor browser, when i start up the browser 
                     days later i find that noscript has saved that site url to 
                     the hard drive... tor browser is not supposed to keep 
                     history
29T22:29 <XXXXX> it was visible in "per-site permissions" in the noscript 
                     settings
29T22:30 <XXXXX> it includes ILLEGAL (lgbt resources) in my country, that i 
                     do not want anyone to see, but it was still being saved by 
                     tor browser
29T22:31 <XXXXX> i did not do anything "unusual" like changing settings or 
                     tweaking. i only had security slider MEDIUM and when click 
                     to play media appeared i clicked it
29T22:32 <XXXXX> i cleared the history and bleachbit wiped the computer but 
                     i'm scared
...
29T22:39 <catalyst> XXXXX: that does sound scary in your situation. and it 
                    does sound like a bug. what OS and Tor Browser version?
29T22:40 <XXXXX> catalyst: windows 7 tor browser 8.0.8
...
29T22:45 <catalyst> XXXXX: thanks. i'm asking around
29T22:46 <XXXXX> ok!
29T22:46 <XXXXX> what do i need to do to erase it? i pressed "reset 
                     settings" in noscript and i think that worked and i ran 
                     bleachbit too
29T22:47 <catalyst> XXXXX: that depends on how thoroughly you need to erase 
                    it, unfortunately
29T22:48 <XXXXX> i dont want family or authorities to see it
...
29T22:48 <XXXXX> ok and doing that with bleachbit "erase free space" helps?
...
29T22:50 <XXXXX> it erases free space because deleting files is recoverable
29T22:51 <catalyst> XXXXX: that sounds like it should help. i'm not 
                    personally familiar with bleachbit so i can't say whether 
                    or not it will be effective in this case
29T22:51 <XXXXX> ok
29T22:52 <catalyst> operating systems like Tails provide additional isolation 
                    (i believe Tails won't ever write to a disk unless you 
                    explicitly ask it to)
29T22:57 <catalyst> XXXXX: may i paste your report into a public bug 
                    report? (redacting your IRC nickname)
29T22:57 <XXXXX> catalyst: yes ok
29T22:57 <catalyst> XXXXX: thanks
29T22:58 <XXXXX> catalyst: when i clicked "reset" on the noscript settings 
                     it broke some things i think the "default settings" are 
                     not the same ones tor uses so resetting to default breaks 
                     some things. a check mark is now checked called "override 
                     tor browser security preset" and even on MEDIUM slider 
                     settings it makes javascript disabled
29T22:58 <XXXXX> so also the reset option breaks things too!
29T23:03 <catalyst> XXXXX: that sounds unfortunate, but not too surprising. 
                    Tor Browser can't always handle unusual user interactions 
                    with the components it depends on. we can only try to fix 
                    stuff like this as we learn about it
29T23:03 <XXXXX> ok
29T23:03 <XXXXX> i'll delete and insteall the browser again
...
29T23:12 <XXXXX> catalyst: one other scary thing that might be related. 
                     when i visit sites after i press "new identity" that 
                     restarts the browser. when the new browser opens then i 
                     type something into the search bar at the top and 
                     sometimes it suggests the sites i was just viewing BUT for 
                     a split second then they vanish!
29T23:13 <XXXXX> i only noticed it when pressing "new identity" but not if 
                     i close the browser then open it myself instead. but after 
                     the suggested sites vanish they don't appear again and 
                     that is weird
29T23:15 <@arma> XXXXX: i would believe this -- new identity does a pile of 
                 things, and it does them in some order. it should probably 
                 change its order so you don't get confused into thinking it is 
                 done until it really is done.
29T23:15 <catalyst> XXXXX: that does seem scary. the behavior difference 
                    between "new identity" and restarting the browser is 
                    helpful to know, though. i'll add it to the bug report

Child Tickets

Change History (14)

comment:1 Changed 19 months ago by gk

Keywords: tbb-newnym added; newnym removed
Status: newneeds_information

I tried to reproduce both issues but failed with a clean Tor Browser 8.0.8 on Windows 7. So, I wonder what goes wrong on the user's computer. Maybe some extra tools installed are interfering?

comment:2 in reply to:  1 Changed 19 months ago by cypherpunks

Replying to gk:

I tried to reproduce both issues but failed with a clean Tor Browser 8.0.8 on Windows 7. So, I wonder what goes wrong on the user's computer. Maybe some extra tools installed are interfering?

I just tried this on my own Windows 7 computer with browser 8.0.8 and it *does* persist for me. I went to Wikipedia with the slider set to "Safer" and viewed some videos that were click-to-play. After restarting Tor Browser and checking the NoScript settings "per-site permissions", the whitelisted URLs are being shown like this one:

https://upload.wikimedia.org/wikipedia/commons/transcoded/0/0a/Comparing_CMEs.ogv/Comparing_CMEs.ogv.480p.vp9.webm

I restarted Tor Browser with New Identity, and I closed and re-opened it, and I rebooted my computer, so I can *confirm* that this is an issue!

comment:3 Changed 19 months ago by cypherpunks

In the file called storage-sync.sqlite (in profile.default) I have this text copied from Notepad (example and not everything in the .sqlite file, just the relevant part):

["fetch","font","frame","object","other","script","webgl","media"],"temp":false},"https://upload.wikimedia.org/wikipedia/commons/transcoded/0/0a/Comparing_CMEs.ogv/Comparing_CMEs.ogv.480p.vp9.webm":{"capabilities":["fetch","font","frame","object","other","script","webgl","media"],"temp":false}}},"enforced":true,"autoAllowTop":false},"_status":"created"}‚';i
ƒedefault/{73a6fe31-595d-460b-a920-fcc0f8843232}key-sync{"id":"key-sync","key":"sync","data":{"global":false,"xss":true,"cascadeRestrictions":true,"xssScanRequestBody":false,"xssBlockUnscannedPOST":true,"overrideTorBrowserPolicy":false,"clearclick":true,"storage":"sync"},"_status":"created"}

comment:4 Changed 19 months ago by cypherpunks

Here is *exactly* what I did to confirm it:

  1. Deleted Tor Browser directory
  1. Installed fresh Tor Browser 8.0.8
  1. Changed security slider to "Safer"
  1. Navigated to https://upload.wikimedia.org/wikipedia/commons/transcoded/2/22/Volcano_Lava_Sample.webm/Volcano_Lava_Sample.webm.360p.vp9.webm
  1. Clicked to play
  1. Looked at NoScript settings page and confirmed it was whitelisted
  1. Restarted browser

Before step 5, I looked at the sqlite in an online sqlite viewer and it said the collection_name was default/{73a6fe31-595d-460b-a920-fcc0f8843232}, the record_id was key-policy, and the record was this:

{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame","font"],"temp":false},"sites":{"trusted":[],"untrusted":["http:"],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}

After step 7 I looked at the same record, and now it was this:

{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame","font"],"temp":false},"sites":{"trusted":[],"untrusted":["http:"],"custom":{"https://upload.wikimedia.org/wikipedia/commons/transcoded/2/22/Volcano_Lava_Sample.webm/Volcano_Lava_Sample.webm.360p.vp9.webm":{"capabilities":["fetch","font","frame","object","other","script","webgl","media"],"temp":false}}},"enforced":true,"autoAllowTop":false},"_status":"created"}

That sqlite file is stored on the disk.

comment:5 Changed 19 months ago by gk

Cc: m1 added
Keywords: noscript added

Okay, thanks for those steps that helped me a lot. Giorgio: given that this violates assumptions about Private Browsing Mode (PBM) usage (There should not be leaked any information about web browsing to disk in that mode let alone possibly problematic URLs) is there a way for NoScript to actually adhere to the PBM rules the user/Tor Browser has intentionally enabled? Like saving the exceptions in memory and only there if in PBM? It seems to me there is no reason to save them to disk in that case.

comment:6 Changed 12 months ago by cypherpunks

This bug needs more attention now that click-to-play was made DEFAULT in Tor Browser 9.0. On all three security levels, plugins.click_to_play = true. I noticed it was enabled because I had to click "play" on every YouTube video.

comment:7 Changed 5 months ago by gk

Cc: ma1 added; m1 removed

Ha, I added the wrong handle to Cc :(. ma1: see my idea in comment:5 for this issue. Not sure if that's something doable, though.

comment:8 in reply to:  5 ; Changed 5 months ago by ma1

Replying to gk:

Okay, thanks for those steps that helped me a lot. Giorgio: given that this violates assumptions about Private Browsing Mode (PBM) usage (There should not be leaked any information about web browsing to disk in that mode let alone possibly problematic URLs) is there a way for NoScript to actually adhere to the PBM rules the user/Tor Browser has intentionally enabled? Like saving the exceptions in memory and only there if in PBM? It seems to me there is no reason to save them to disk in that case.

Yes, it can be done. I'll need to flag all permissions as temporary (maybe if not explicitly overridden by the user some way, e.g. via an option in the confirmation dialog) for sessions where the Tor Browser is detected as the host.

I will put this in 11.0.25.

comment:9 in reply to:  8 ; Changed 5 months ago by gk

Replying to ma1:

Replying to gk:

Okay, thanks for those steps that helped me a lot. Giorgio: given that this violates assumptions about Private Browsing Mode (PBM) usage (There should not be leaked any information about web browsing to disk in that mode let alone possibly problematic URLs) is there a way for NoScript to actually adhere to the PBM rules the user/Tor Browser has intentionally enabled? Like saving the exceptions in memory and only there if in PBM? It seems to me there is no reason to save them to disk in that case.

Yes, it can be done. I'll need to flag all permissions as temporary (maybe if not explicitly overridden by the user some way, e.g. via an option in the confirmation dialog) for sessions where the Tor Browser is detected as the host.

I will put this in 11.0.25.

Thanks (i guess you mean 11.0.27, right? ;)). I think binding it to Tor Browser might not be the best option. It seems to me the PMB/non-PBM distinction is important here. I doubt Firefox users in PBM expect their site exceptions to be written to disk either given their conscious choice to enable PBM in the first place. Thus, respecting *that* distinction seems more important than Tor Browser/non-Tor Browser AND it fits better to the mental model (Tor) Browser users have.

comment:10 in reply to:  9 Changed 5 months ago by ma1

Replying to gk:

Thanks (i guess you mean 11.0.27, right? ;)). I think binding it to Tor Browser might not be the best option.

Sorry, that's 11.0.28 (as 11.0.27 is shipping today) and PBM on any browser, rather than just Tor Browser, you're right (not enough coffee this morning).

comment:11 in reply to:  9 Changed 5 months ago by ma1

OK, in the end I managed to squeeze it into 11.0.27rc5 (I'm about to submit 11.0.27 "stable" to AMO), because it felt just too important to wait anymore.

Please check https://github.com/hackademix/noscript/releases/tag/11.0.27rc5

comment:12 Changed 5 months ago by ma1

Just to be clear, 11.0.27 in PBM tabs/windows does the following:

  1. Disables any contextual widget (in tab-originated the popups) leading to give permanent permissions (and therefore URLs to persisted on the disk): therefore you can only set Temp. TRUSTED or Temp. CUSTOM (neither TRUSTED, UNTRUSTED or permanent CUSTOM) unless that was the setting when the UI popup has been opened
  2. When unblocking a media element, the permission is always marked as temporary and never persisted to the disk.

Of course you can still turn the temporary permissions to permanent from the "Per-site preferences" options panel, if you really want to.

I'm not sure whether 1 is too strict for people who intentionally checked "override Tor Browser security policies", since this would erase any permission customization on browser restarts (as all Tor Browser windows are incognito, right?), but it seemed a transparent middle ground to help them not shoot themselves in the foot. What do you think?

Last edited 5 months ago by ma1 (previous) (diff)

comment:13 Changed 5 months ago by ma1

After some thinking I've decided that the new Incognito-restricted UI is a very good idea for Firefox and Chromium users in PBM. It's neutral for vanilla Tor Browser users (who can't see it by default anyway), and it's likely annoying for users who took the pain of restoring the NoScript button and checking the "Override Tor Browser's Security Level preset" option for the sole purpose of customizing their permissions and having them survive sessions.

Therefore https://github.com/hackademix/noscript/releases/tag/11.0.27rc6 disables non-temporary presets in the popup UI for all PBM users except those who choose to "have it their way" (with Override Tor Browser etc.), while click to play permissions (the scope of this bug) are always made temporary for all PBM and Tor Browser window (but can be turned into permanent from the Per-site Permissions UI).

Last edited 5 months ago by ma1 (previous) (diff)

comment:14 in reply to:  13 Changed 5 months ago by gk

Keywords: TorBrowserTeam202006 added
Resolution: fixed
Status: needs_informationclosed

Replying to ma1:

After some thinking I've decided that the new Incognito-restricted UI is a very good idea for Firefox and Chromium users in PBM. It's neutral for vanilla Tor Browser users (who can't see it by default anyway), and it's likely annoying for users who took the pain of restoring the NoScript button and checking the "Override Tor Browser's Security Level preset" option for the sole purpose of customizing their permissions and having them survive sessions.

Therefore https://github.com/hackademix/noscript/releases/tag/11.0.27rc6 disables non-temporary presets in the popup UI for all PBM users except those who choose to "have it their way" (with Override Tor Browser etc.), while click to play permissions (the scope of this bug) are always made temporary for all PBM and Tor Browser window (but can be turned into permanent from the Per-site Permissions UI).

Great, thanks. A quick test of the latest NoScript (11.0.30) shows that this bug is fixed. Yay!

Note: See TracTickets for help on using tickets.