Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#30396 closed defect (duplicate)

Re-enable NoScript after Mozilla bug #1549078

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Saturday, May 4, 2019

TBB 8.0.8
NoScript 10.6.1

The NoScript add-on was automatically disabled in the background and removed from the toolbar without user intervention. Mozilla is rolling out a fix for Desktop using the Studies system, but Mozilla studies are disabled in Tor Browser. They don't have a fix yet for Android.

I had one tab open to search results on Safer. A yellow banner showed up across the top of the page inside the tab.
"One or more installed add-ons cannot be verified and have been disabled. [Learn More] X"

The Add-ons tab (about:addons) says:
"Missing something? Some extensions are no longer supported by Tor Browser. [Show legacy extensions]"

Which opens:
"Legacy Extensions
These extensions do not meet current Tor Browser standards so they have been deactivated.
NoScript could not be verified for use in Tor Browser and has been disabled. [More Information]"

"More Information" goes to this Mozilla page implying the add-on is not signed (scary and false):

A banner on that page says:
We rolled out a hotfix that re-enables affected add-ons. The fix will be automatically applied in the background within the next few hours. For more details, please check out the update at

That page basically says there was a major fuck-up by a centralized Mozilla signing update and that a patch fix will be applied unless Studies are disabled in the browser. Mozilla studies are disabled in Tor Browser, so we were hit with an unintentional attack and are blocked by default from repair. It's a hole for administrative exploitation.

Child Tickets

Attachments (1)

tor-browser about-addons NoScript disabled.png (56.4 KB) - added by cypherpunks 18 months ago.

Download all attachments as: .zip

Change History (4)

Changed 18 months ago by cypherpunks


comment:1 Changed 18 months ago by cypherpunks
[first mitigation completed, working on a second one] All extensions disabled due to expiration of intermediate signing cert

comment:2 Changed 18 months ago by boklm

Resolution: duplicate
Status: newclosed

This is a duplicate of #30388.

comment:3 Changed 18 months ago by Crissy2

Why the cert was not checked that soon will expire? #30402

If there will be a warning month before expiration, TBB Team will be noticed and can prevent this situation.

Note: See TracTickets for help on using tickets.