Opened 2 weeks ago

Closed 12 days ago

#30443 closed defect (not a bug)

NoScript still not working right, not sure if https everywhere is working right either, addons?

Reported by: justmeee Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Did not have these problems before the recent certificate issue, so I believe the fix is not working right. Pasting a copy of the info so far:

Got the update.

This fix is not working correctly. Torbrowser 8.5a12

Pages are being displayed as if NoScript was turned off, so I'm seeing images that NoScript blocked before, they just have a ghost image of noscript on top of the image it's supposed to be blocking.

For a comparison, I went to config and turned off the xpinstall that someone earlier recommended, yes i read the warnings, and reloaded the page, then it displayed as if NoScript was working correctly and I saw ONLY the NoScript image, NOT what it was supposed to be blocking.

So it's not working right.
Changed 3 hours ago by justmeee
Attachment: yahoo screen i should NOT be getting.png​ added

Yahoo screen I should NOT be getting, but I get this with 8.5a12 with config set to true. I did NOT get this before these NoScript problems.
Changed 3 hours ago by justmeee
Attachment: yahoo login page should go straight here.png​ added

Yahoo page I SHOULD be getting when going to mail.yahoo.com. This is where I went directly before the NoScript problems, and where I go directly when config is set to false, but NOT when set to true, so this is one example of fix being buggy.
comment:59 Changed 3 hours ago by justmeee

Here's another example:

When I go to mail.yahoo.com, when NoScript was working correctly, I would go straight to the login page. When NoScript is NOT working correctly, I get the extra page where you have to click on the link to login.

Again, the config change corrected this, so the fix does not seem to be working right.

Images attached that show screenshots of where I went Before the NoScript problems started and when config is set to false, and the different screen I get when config is set to true with updated 8.5a12. This is just one example, but I'm seeing other examples across several sites.

I hope the images attached?
comment:60 Changed 2 hours ago by gk

Do you have a master password set? What is the status of NoScript on about:addons? Does it work for you if you start with a fresh 8.5a12?
comment:61 Changed 81 minutes ago by justmeee

No master password.

So I restarted it. It was working ok with config set to true, but I didn't make any changes since having the problems from before. So I restarted and opened those same pages several times just to see. It seems to happen sometimes. So sometimes when it starts, I will get the ghost image background (of the image that should NOT be there) with the NoScript on top of it, and mail goes to the wrong page as if NoScript was not working right. 1 out of the last 6 start ups produced this result.

In all instances, config was set to true, and addons showed it was enabled. The icons are in the toolbar and show it working. So I'm also concerned if https anywhere is working right too.

Installed a fresh copy, no change, had the same poor result on the third time opening it.
comment:62 Changed 75 minutes ago by gk
Resolution: → fixed
Status: reopened → closed

Sounds like a different bug. Could you open a ticket? Does this happen with a fresh 8.0.9 as well? What operating system are you on?


I'm using Win 7 64bit. I loaded the 8.0.9 and it gave me the same fail on the first try, the items that were blocked before are still showing up even though everything says NoScript is working, and I have a ghost image over it from NoScript. So what happened before all this started was I would ONLY have the NoScript image, NOT the blocked item. Now I see the item that's supposed to be blocked, plus a transparent partial NS image on top of it. And yahoo is not taking me directly to the login, it gives me the extra screen so scripts are running in spite of everything saying NoScript should be working.

Did not have these problems before the certificate problem.

Same thing, the problem goes away if I set that config mentioned in the other ticket to false, then NoScript starts working correctly but as others have said, that's not the right way to fix this.

Reattaching the yahoo screenshots here too.

Child Tickets

Attachments (4)

yahoo screen i should NOT be getting.png (1.1 MB) - added by justmeee 2 weeks ago.
When I go to mail.yahoo.com, I should NOT see this page, but sometimes I still do, and scripts are working even though everything says NS should be blocking them. This is only one example.
yahoo login page should go straight here.png (58.9 KB) - added by justmeee 2 weeks ago.
This is the page I should be going to directly when i type in mail.yahoo.com if NS is working. Now, I only go there sometimes. Did NOT have this problem before all this issue with the certificates, and the only thing that makes it work consistently is changing that config setting to false.
noscript correctly blocking item.png (10.8 KB) - added by justmeee 12 days ago.
NoScript Correctly blocking an item
noscript NOT correctly blocking item.png (25.5 KB) - added by justmeee 12 days ago.
NoScript NOT working correctly

Download all attachments as: .zip

Change History (11)

Changed 2 weeks ago by justmeee

When I go to mail.yahoo.com, I should NOT see this page, but sometimes I still do, and scripts are working even though everything says NS should be blocking them. This is only one example.

Changed 2 weeks ago by justmeee

This is the page I should be going to directly when i type in mail.yahoo.com if NS is working. Now, I only go there sometimes. Did NOT have this problem before all this issue with the certificates, and the only thing that makes it work consistently is changing that config setting to false.

comment:1 Changed 13 days ago by gk

So, all the fix in 8.0.9 and 8.5a12 does is getting back the noscript, nothing else. it does not change any noscript settings etc. Thus, *if* you are seeing your noscript icon as you do then the fix has worked.

Now, I wonder what goes wrong, though. How did you configure noscript to disable scripts?

What config do you mean?

comment:2 Changed 13 days ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

comment:3 Changed 13 days ago by gk

Other things that are useful to know:

1) What's the value for extensions.torbutton.security_slider in your about:config?
2) If you set extensions.torbutton.loglevel to 3 in your about:config and restart there should be NoScript related messages in the browser console (Ctrl + Shift + J). What are those messages?

Last edited 13 days ago by gk (previous) (diff)

comment:4 Changed 13 days ago by gk

Oh, what happens on subsequent re-starts (of a clean 8.0.9)?

Last edited 13 days ago by gk (previous) (diff)

comment:5 Changed 12 days ago by justmeee

With the 8.0.9, i get the same results as the alpha 12.

I have the security slider set to max/safest.

The config i refer to is what was mentioned in the other ticket #30388: xpinstall.signatures.required... when that is set to False, the problem goes away and everything is working as before, but when set to True, it's buggy again and this did Not happen before the problems that prompted ticket 30388..

Restarting, the results are the same in both... it will be correct maybe 5 out of 6 times, but it is random, so it may be buggy on the first or the third or the 10th restart. It is the same for both torbrowser versions.

I don't know how to check if the https everywhere or other addons are working right, i don't have many, but if you tell me how to verify it in the display, NOT by what the settings are telling me but to see the actual result, then i can tell you if it's just noscript or all the addons because this was NOT a problem before the recent major addon crash of ticket #30388.

The first obvious thing was the yahoo. Going to mail.yahoo.com. Before the addon crash of 30388, I would go straight to the login screen (shown in the attachments provided earlier). Now, when it loads buggy, I get that other page first, the purple one also previously attached, where I then have to click in the above right "login" to get to the login page, and scripts are enabled even though everything says NoScript is working. I should never be getting that when addons are working. This never happened even once before the 30388 crash, that's what i call the incident for easy reference.

The second was the ghost images.. i'm attaching screen shot that shows the part of the object as it is Normally displayed when NS is working correctly, and with the ghost image behind it that it should be blocking when it does NOT work correctly.. again, this has NEVER happened before the 30388 problem, and it goes away and all things return to normal when i set that config to false...

hence my conclusion that the patch is not working right.. and if you tell me what i can do to see if https is working right, not by looking at the item telling me if it's working because everything is telling me NS is working right even when it's not, it's the visual of the sites that tells me it's not working right...

Changed 12 days ago by justmeee

NoScript Correctly blocking an item

Changed 12 days ago by justmeee

NoScript NOT working correctly

comment:6 Changed 12 days ago by justmeee

I didn't see any option to modify ticket to "information provided" or anything else..

comment:7 Changed 12 days ago by gk

Resolution: not a bug
Status: needs_informationclosed

Okay, I looked closer at that. NoScript is working as expected: JavaScript is blocked on the highest level and all the other prefs are properly flipped as well. In short it's not a NoScript problem.

What happens is that for some (probably Yahoo-internal) reason a different landing page is loaded sometimes. I am not sure why you did not see that before but probably that's because Yahoo changed their logic recently.

I tested older Tor Browser versions from before the 8.0.9 update and I see the same problem on a Windows machine as well. I am not sure why I don't see this on Linux, though.

I double-checked as well that SVG (while loaded on that different page you encountered) is not executed when we set the slider pref. So, we are good here and this is not a bug.

Regarding HTTPS Everywhere: this has never been a problem and that extension should never have been disabled as we have it exempt from the signature check because we use the EFF and not the Mozilla version.

Note: See TracTickets for help on using tickets.