Opened 2 months ago

Last modified 2 months ago

#31798 new defect

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Reported by: adrelanos Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: whonix-devel@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Noscript, file

{73a6fe31-595d-460b-a920-fcc0f8843232}

full path

tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser-extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232}

when extracted contains file

common/Policy.js

which contains a list of websites.

addons.mozilla.org
afx.ms ajax.aspnetcdn.com
ajax.googleapis.com bootstrapcdn.com
code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com
hotmail.com live.com live.net
maps.googleapis.com mozilla.net
netflix.com nflxext.com nflximg.com nflxvideo.net
noscript.net
outlook.com passport.com passport.net passportimages.com
paypal.com paypalobjects.com
securecode.com securesuite.net sfx.ms tinymce.cachefly.net
wlxrs.com
yahoo.com yahooapis.com
yimg.com youtube.com ytimg.com

Related source code:

  function defaultOptions() {
    return {
      sites:{
        trusted

File

legacy/defaults.js

is similar.

Under conditions which are not clear to be yet how to reproduce this can lead to white listing these websites in noscript even though Tor Browser security slider is set to maximum.

It's arguable if addons.mozilla.org should be whitelisted by default (I won't argue about it) but for sure netflix, paypal, youtube and others don't deserve special treatment by Tor Browser. Obvious tracking and security risk.

Looks like pressing the reset button in noscript also results in setting these websites to trusted by default in noscript.

Therefore, please kindly consider to remove that whitelist from noscript.

Additional suggestions:

  • Have a unit test that greps the source code for (these) websites so these aren't reintroduced in later (noscript) add-on versions.
  • Report to upstream (noscript).

Related:

https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/

Child Tickets

Change History (6)

comment:1 Changed 2 months ago by cypherpunks

you messed with noscript; now you're fckd?

comment:2 Changed 2 months ago by gk

We won't consider this unless we ship an own version of NoScript which is currently not planned for the near future. We might even think about integrating just the security-settings related feature in the browser itself. Not sure yet. Meanwhile it would be helpful to understand why those issues only happen in Whonix so far and get some steps to reproduce.

We deliberately took the NoScript button off the toolbar to make it harder for users to shoot themselves into the foot. Not sure what Whonix does but you it's highly recommended to do the same.

comment:3 Changed 2 months ago by adrelanos

noscript [feature request] environment variable to clear default whitelist

https://forums.informaction.com/viewtopic.php?f=10&t=25743

Maybe someone could submit a patch to noscript?

comment:4 Changed 2 months ago by toholdaquill

The use case for enabling per-site permissions via NoScript in Tor Browser is as follows.

Let's say you visit twitter.com. You want to enable twitter.com and twimg.com, but not google-analytics.com. Using the Tor security slider, this level of fine-grained permissions is not possible.

comment:5 in reply to:  3 Changed 2 months ago by adrelanos

Replying to adrelanos:

noscript [feature request] environment variable to clear default whitelist

https://forums.informaction.com/viewtopic.php?f=10&t=25743

Got answer:

Sorry but there is currently no way for a WebExtension to read environment variables.


Replying to gk:

Meanwhile it would be helpful to understand why those issues only happen in Whonix so far and get some steps to reproduce.

It's not 100% reproducible yet.

I've been using Tor Browser 8.5.5. I've enabled git version control for the Tor Browser folder so I can easily simulate a first start of Tor Browser using git clean -dff ; git reset --hard ; git status.

On Debian buster.

Create folder /usr/share/homepage/whonix-welcome-page.

sudo mkdir -p /usr/share/homepage/whonix-welcome-page

Open file /usr/share/homepage/whonix-welcome-page/whonix.html with root rights.

sudoedit /usr/share/homepage/whonix-welcome-page/whonix.html

Paste.

<!DOCTYPE html>

Save.

Start Tor Browser.

TOR_NO_DISPLAY_NETWORK_SETTINGS=1 TOR_SKIP_LAUNCH=1 ./start-tor-browser.desktop /usr/share/homepage/whonix-welcome-page/whonix.html

Tor Browser menu -> addons -> noscript -> preferences -> per site permissions

You'll see noscript's default permissive websites enabled.


What I can say with more certainty what helps to avoid triggering this bug is:

  • not using a local browser start page
  • not passing a local browser start page as command line parameter
  • not setting environment variable TOR_DEFAULT_HOMEPAGE

Previously in Whonix I managed to nail down setting TOR_SKIP_CONTROLPORTTEST=1 to trigger the bug vs unset TOR_SKIP_CONTROLPORTTEST to avoid the bug.


Too many environment variables causing this?

Could be a race condition in noscript?

comment:6 Changed 2 months ago by cypherpunks

Possibly related to #31580.

It's also worth noting that xss/Exceptions.js contains exceptions for some websites like youtube too. lib/restricted.js looks like it contains exceptions for a few mozilla domains and chrome.google.com. It links to https://bugzilla.mozilla.org/show_bug.cgi?id=1415644

Note: See TracTickets for help on using tickets.