Opened 12 months ago

Last modified 4 months ago

#32333 needs_information defect

NoScript remembers settings on browser quit

Reported by: kromek Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript, TorBrowserTeam202006, tbb-9.0-issues
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Despite having "extensions.torbutton.noscript_persist" set to "false", NoScript still remembers trusted sites after quitting the browser. I'm using safest security settings on Debian 10.

This is a big privacy risk because I accidentally created a unique ruleset this way.

Child Tickets

Change History (18)

comment:1 Changed 12 months ago by kromek

UPDATE: It seems to reproduce the issue, you have to allow restrictions globally and restart the browser. It will still have disabled restrictions, and from now on, even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.

comment:2 in reply to:  1 ; Changed 12 months ago by gk

Status: newneeds_information

Replying to kromek:

UPDATE: It seems to reproduce the issue, you have to allow restrictions globally and restart the browser. It will still have disabled restrictions, and from now on, even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.

What do you mean by "allow restrictions globally"? Could you give us complete steps to reproduce this issue?

comment:3 in reply to:  2 Changed 12 months ago by kromek

Replying to gk:

Replying to kromek:

UPDATE: It seems to reproduce the issue, you have to allow restrictions globally and restart the browser. It will still have disabled restrictions, and from now on, even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.

What do you mean by "allow restrictions globally"? Could you give us complete steps to reproduce this issue?

Sorry, I meant like this:

  • Disable restrictions globally (the S! button)
  • restart the browser
  • restrictions will still be disabled globally (they shouldn't be), so undo that manually
  • go to any website and make it TRUSTED (permanently, not temp.)
  • restart the browser and visit the website again: it will still be trusted and JS enabled for it
Last edited 12 months ago by kromek (previous) (diff)

comment:4 Changed 12 months ago by gk

Component: ApplicationsApplications/Tor Browser
Version: Tor: 0.4.2.3-alpha

Closing #32337 as duplicate.

comment:5 Changed 12 months ago by sysrqb

Keywords: tbb-9.0-issues noscript TorBrowser201911 added
Owner: set to tbb-team
Severity: MajorNormal
Status: needs_informationassigned

Did this only begin in Tor Browser 9? Did you upgrade from Tor Browser 8.5 or is this a new installation?

comment:6 Changed 12 months ago by sysrqb

Status: assignedneeds_information

comment:7 Changed 12 months ago by sysrqb

Keywords: TorBrowserTeam201911 added; TorBrowser201911 removed

comment:8 in reply to:  5 Changed 12 months ago by kromek

Replying to sysrqb:

Did this only begin in Tor Browser 9? Did you upgrade from Tor Browser 8.5 or is this a new installation?

Yes, it began in Tor Browser 9. Previously the issue was non-existent. It remains a bug in 9.0.1.
It happens in new "installation" which in my case is unpacking the TBB on Debian.

Last edited 12 months ago by kromek (previous) (diff)

comment:9 Changed 11 months ago by pili

Keywords: TorBrowserTeam201912 added; TorBrowserTeam201911 removed

Moving tickets to December

comment:10 Changed 11 months ago by kromek

Still happening on 9.0.2

comment:11 Changed 10 months ago by sysrqb

Keywords: TorBrowserTeam202001 added; TorBrowserTeam201912 removed

comment:12 Changed 9 months ago by cypherpunks

kromec said:

even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.

Tor Browser remembers TRUSTED websites regardless whether disable restrictions globally was set before. This behaviour is reproducible on a clean Tor Browser install:

  • Launch Tor Browser and visit any website
  • Set the website to TRUSTED
  • Close and restart Tor Browser and visit the website again, the website is still set to trusted. The setting persists through reboot.

The same is true for giving permissions in NoScript's Options.

  • Launch Tor Browser on safest level
  • Click the NoScript icon and in the left menu, go to Options
  • General --> Preset customization, check one or more item (scripts, media, whatever)
  • Close and restart Tor Browser, the permissions are preserved. This is not reflected in the security settings or shield icon at all, both still show "safest". This will also survive reboot.

Tor Browser will reset itself after changing the security level repeatedly though (true for both scenarios).

Same as kromec, extensions.torbutton.noscript_persist is set to false, Override Tor Browser's Security Level preset is not checked.

OS is Debian bullseye/sid

Last edited 9 months ago by cypherpunks (previous) (diff)

comment:13 Changed 8 months ago by pili

Keywords: TorBrowserTeam202002 added; TorBrowserTeam202001 removed

Moving tickets to February

comment:14 Changed 8 months ago by sysrqb

Keywords: TorBrowserTeam202003 added; TorBrowserTeam202002 removed
Priority: HighMedium
Status: needs_informationnew

This is a bug, and it should be fixed, but the NoScript configuration settings are hidden in Tor Browser for a reason. NoScript's settings should only be changes through the security slider.

Of course, some people change the settings manually, and when that leaks information the problem should be fixed.

comment:15 Changed 7 months ago by sysrqb

Keywords: TorBrowserTeam202006 added; TorBrowserTeam202003 removed

Move tickets to 2020 June

comment:16 Changed 5 months ago by sysrqb

Keywords: tbb-9.5-issues added; tbb-9.0-issues removed

Batch move remaining tbb-9.0-issues -> 9.5-issues

comment:17 Changed 5 months ago by sysrqb

Keywords: tbb-9.0-issues added; tbb-9.5-issues removed

comment:18 Changed 4 months ago by gk

Status: newneeds_information

Can someone double-check whether that is still an issue with the latest NoScript (>= 11.0.30)? This bug might have been fixed with #29957.

Note: See TracTickets for help on using tickets.