Opened 3 months ago

Last modified 3 months ago

#31094 needs_information defect

Tor Browser in Whonix blocks JavaScript (only when started for the first time) and in DispVMs

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There is a long standing issue with Tor Browser that I reported to Whonix, but they say that it is an upstream issue.

There appears to be a race condition when Tor Browser starts for the first time NoScript is most of the times (~8/10) blocking all scripts.

Since I run Tor Browser in so called "disposable VMs" (Qubes OS) where every Tor Browser start is as if it would start for the first time - this is a rather annoying issue.

To work around that I have to go to the NoScript settings after _every_ Tor Browser start and disable restrictions, with the latest Tor Browser version this has become more painful since the NoScript button is no longer displayed directly in the Browser bar.

https://forums.whonix.org/t/tor-browser-in-whonix-blocks-javascript-only-when-started-for-the-first-time-and-in-dispvms/6843

Child Tickets

Change History (7)

comment:1 Changed 3 months ago by gk

Status: newneeds_information

If you take the Tor Browser as we ship it (by downloading it from our website and extracting it) and run that inside your environment, does this happen as well?

Last edited 3 months ago by gk (previous) (diff)

comment:2 Changed 3 months ago by adrelanos

Tor Browser in Whonix blocks JavaScript (only when started for the first time) and in DispVMs

There is a long standing issue with Tor Browser that I reported to Whonix, but they say that it is an upstream issue.

Citation required.

"blocks JavaScript (only when started for the first time)" - No, I don't think this is an issue caused by Tor Browser which Tor Project could fix. Except, if

If you take the Tor Browser as we ship it (by downloading it from our website and extracting it) and run that inside your environment, does this happen as well?

above quote was the case.

There are other recent changes and decisions by Tor Project which often cause questions. List of things up to The Tor Project having decided for now at the time of writing:

  • not enable to set noscript to blocking of all scripts globally by default,
  • not persist noscript per-site settings by default,
  • remove noscript from Tor Browser menu bar by default.

comment:3 in reply to:  2 Changed 3 months ago by gk

Replying to adrelanos:

Tor Browser in Whonix blocks JavaScript (only when started for the first time) and in DispVMs

There is a long standing issue with Tor Browser that I reported to Whonix, but they say that it is an upstream issue.

Citation required.

"blocks JavaScript (only when started for the first time)" - No, I don't think this is an issue caused by Tor Browser which Tor Project could fix. Except, if

If you take the Tor Browser as we ship it (by downloading it from our website and extracting it) and run that inside your environment, does this happen as well?

above quote was the case.

Could you make your point a bit clearer here? I was trying to figure out whether the Tor Browser as we offer it from our website is giving the same behavior as the software Whonix is shipping (which I don't know anything about), but I am still not sure what the answer here is.

There are other recent changes and decisions by Tor Project which often cause questions. List of things up to The Tor Project having decided for now at the time of writing:

  • not enable to set noscript to blocking of all scripts globally by default,

That's not a recent decision or change but has been that way forever, see our FAQ entry: https://support.torproject.org/#tbb-34

  • not persist noscript per-site settings by default,

Per-site permissions saved by default would risk making you linkability across different website because you probably have a non-generic whitelist. But if someone really wants that then there is a pref you can flip. See: #27175 for the full discussion.

  • remove noscript from Tor Browser menu bar by default.

#25658 is the ticket you want and proposal 101 (https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-security-controls-redesign.txt) for more background. You can follow the tbb-dev list for proposal discussions like that one. This feature has been in the works for months.

comment:4 Changed 3 months ago by cypherpunks

Simmer down gk, adrelanos wasn't contesting those things but merely reminding the OP about them :)

comment:5 in reply to:  1 ; Changed 3 months ago by cypherpunks

Replying to gk:

If you take the Tor Browser as we ship it (by downloading it from our website and extracting it) and run that inside your environment, does this happen as well?

https://forums.whonix.org/t/tor-browser-in-whonix-blocks-javascript-only-when-started-for-the-first-time-and-in-dispvms/6843/11:
I don’t think this is a vanilla torbrowser bug since it only happens in whonix - never with vanilla torbrowser.

comment:6 in reply to:  5 ; Changed 3 months ago by adrelanos

Could this be related to or being a duplicate or regression of #27401?

Replying to cypherpunks:

Simmer down gk, adrelanos wasn't contesting those things but merely reminding the OP about them :)

Indeed.

Replying to gk:

Replying to adrelanos:

Tor Browser in Whonix blocks JavaScript (only when started for the first time) and in DispVMs

There is a long standing issue with Tor Browser that I reported to Whonix, but they say that it is an upstream issue.

Citation required.

"blocks JavaScript (only when started for the first time)" - No, I don't think this is an issue caused by Tor Browser which Tor Project could fix. Except, if

If you take the Tor Browser as we ship it (by downloading it from our website and extracting it) and run that inside your environment, does this happen as well?

above quote was the case.

Could you make your point a bit clearer here? I was trying to figure out whether the Tor Browser as we offer it from our website is giving the same behavior as the software Whonix is shipping (which I don't know anything about), but I am still not sure what the answer here is.

I can't reproduce this. Only reporter can confirm.

as the software Whonix is shipping (which I don't know anything about)

Btw the differences are here:
https://www.whonix.org/wiki/Tor_Browser#Tor_Browser_Bundle_versus_Whonix_Tor_Browser

And here:
#19652 (which still up to date)

There are other recent changes and decisions by Tor Project which often cause questions. List of things up to The Tor Project having decided for now at the time of writing:

  • not enable to set noscript to blocking of all scripts globally by default,

That's not a recent decision or change but has been that way forever, see our FAQ entry: https://support.torproject.org/#tbb-34

Indeed, however users often bring it up and blame it on Whonix.

  • not persist noscript per-site settings by default,

Per-site permissions saved by default would risk making you linkability across different website because you probably have a non-generic whitelist. But if someone really wants that then there is a pref you can flip. See: #27175 for the full discussion.

Not contesting that. Even have that in Whonix documentation: https://www.whonix.org/wiki/Tor_Browser#NoScript_Custom_Setting_Persistence

  • remove noscript from Tor Browser menu bar by default.

#25658 is the ticket you want and proposal 101 (https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-security-controls-redesign.txt) for more background. You can follow the tbb-dev list for proposal discussions like that one. This feature has been in the works for months.

Not contesting that either (would create a ticket if I had a suggestion) but good to have the links to further information so we can link it from Whonix documentation.

comment:7 in reply to:  6 Changed 3 months ago by cypherpunks

Replying to adrelanos:

I can't reproduce this. Only reporter can confirm.

here is another person confirming this issue
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/tor-browser-in-whonix-blocks-javascript-only-when-started-for-the-first-time-and-in-dispvms/6843/10

There are other recent changes and decisions by Tor Project which often cause questions. List of things up to The Tor Project having decided for now at the time of writing:

  • not enable to set noscript to blocking of all scripts globally by default,

That's not a recent decision or change but has been that way forever, see our FAQ entry: https://support.torproject.org/#tbb-34

Indeed, however users often bring it up and blame it on Whonix.

Note that the issue this trac entry is about has nothing todo with the above, actually it is about the very opposite (all scripts blocked by default when the issue occurs).

Note: See TracTickets for help on using tickets.