Opened 6 weeks ago

Closed 4 weeks ago

#32362 closed defect (fixed)

NoScript TRUSTED setting doesn't work

Reported by: nDe15o Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201912, noscript
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Steps to reproduce:

  1. Open Tor Browser.
  2. Open some web site, press NoScript button and select TRUSTED. The page is automatically reloaded and the scripts are executed.
  3. Wait some time (I'm not sure how long), don't close the browser.
  4. Reload the page.

Result:
The scripts are not executed although the setting still says TRUSTED.
After changing the setting to DEFAULT and then back to TRUSTED, the page is not automatically reloaded and the scripts are still blocked.

Expected result:
The scripts are not blocked. After changing the setting to DEFAULT and then back to TRUSTED, the page is automatically reloaded and the scripts are not blocked.

Affected Tor Browser version: 9.0
Not affected Tor Browser versions: 8.x

Workaround:
Press "Disable restrictions for this tab" in NoScript. Then the page is automatically reloaded and the scripts are not blocked.
Or reopen the browser and then press TRUSTED for the site.

Child Tickets

Attachments (1)

trusted.png (29.6 KB) - added by nDe15o 5 weeks ago.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 6 weeks ago by nDe15o

I'm not sure how long

I checked it. It happens after 78 hours for sure. It doesn't happen for https://trac.torproject.org though, it happens for .onion sites. Maybe only for one specific .onion site. I will check it and leave a comment later (after 78 hours.)

comment:2 Changed 6 weeks ago by sysrqb

Keywords: tbb-9.0-issues TorBrowserTeam201912 added
Status: newneeds_information

Thanks. Please let us know the result and please tell us if there is a url we can use for investigating and testing.

Changed 5 weeks ago by nDe15o

Attachment: trusted.png added

comment:3 Changed 5 weeks ago by nDe15o

I updated Tor Browser to version 9.0.1. I tested several .onion sites and this problem happens for all of them (e.g. http://archivecaslytosk.onion/.) This time it happened after ~14 hours or less. There's the screenshot of how it looks like: https://trac.torproject.org/projects/tor/attachment/ticket/32362/trusted.png

Last edited 5 weeks ago by nDe15o (previous) (diff)

comment:4 Changed 5 weeks ago by nDe15o

I tried to debug NoScript. This is what happens when I reload the tab where http://archivecaslytosk.onion/ is opened. It goes to Policy.js#448 and siteMatch is null, so it returns the default permissions (which is only perms.capabilities: Set(2) of 0:"frame" 1: "other"):

    get(site, ctx = null) {
      let perms, contextMatch;
      let siteMatch = !(this.onlySecure && /^\w+tp:/i.test(site)) && this.sites.match(site);
      if (siteMatch) {
        perms = this.sites.get(siteMatch);
        if (ctx) {
          contextMatch = perms.contextual.match(ctx);
          if (contextMatch) perms = perms.contextual.get(ctx);
        }
      } else {
        perms = this.DEFAULT;
      }

      return {perms, siteMatch, contextMatch};
    }

it is null because this.sites.match(site) returns null.

Stack trace:

get (Policy.js#448)
fetchChildPolicySync (main.js#167)
onSyncMessage (main.js#207)
notifyListeners (SyncMessage.js#138)
<anonymous> (SyncMessage.js#28)
Last edited 5 weeks ago by nDe15o (previous) (diff)

comment:5 Changed 5 weeks ago by gk

Cc: ma1 added
Keywords: noscript added

comment:6 Changed 5 weeks ago by nDe15o

And this is what happens in Policy.js parse function:
it goes to this if

        if (Sites.onionSecure && url.protocol === "http:" && url.hostname.endsWith(".onion")) {
          url.protocol = "https:";
        }

but skips it, because Sites.onionSecure is undefined.

comment:7 Changed 5 weeks ago by gk

Keywords: tbb-9.0-issues removed

I don't think this is related to 9.0 but rather to NoScript's 11.0.4.

comment:8 Changed 5 weeks ago by nDe15o

I don't know why but it says that I have version 11.0.7 of NoScript.

comment:9 Changed 5 weeks ago by nDe15o

I just installed a fresh Tor Browser 9.0.1. NoScript version was 11.0.4.
I changed Security Level to Safest.
I opened http://archivecaslytosk.onion/ and made it TRUSTED.
Then after some time it automatically updated to 11.0.7 and the problem appeared.
So the act of updating resets Sites.onionSecure to undefined.

I've just managed to reproduce it again, but instead of waiting, you can press "Check for updates" on about:addons page. You can check it yourself.

comment:10 Changed 5 weeks ago by nDe15o

And I suspect even your

if (UI.local.isTorBrowser) {
  Sites.onionSecure = true;
}

in ui.js (which is called when NoScript button is pressed) doesn't help because probably ui has a separate process or thread idk (https://wiki.mozilla.org/Electrolysis), and its Sites is not the same.

Last edited 5 weeks ago by nDe15o (previous) (diff)

comment:11 in reply to:  9 ; Changed 5 weeks ago by ma1

Replying to nDe15o:

I just installed a fresh Tor Browser 9.0.1. NoScript version was 11.0.4.
I changed Security Level to Safest.
I opened http://archivecaslytosk.onion/ and made it TRUSTED.
Then after some time it automatically updated to 11.0.7 and the problem appeared.
So the act of updating resets Sites.onionSecure to undefined.

Thank you very much for the detailed reporting and debugging.
The same effect without changing version should be reproducible by disabling and re-enabling the extension.
Please check NoScript 11.0.8rc1, which should fix this issue.
Thanks again.

comment:12 in reply to:  11 Changed 5 weeks ago by nDe15o

Replying to ma1:

Please check NoScript 11.0.8rc1, which should fix this issue.

Just checked, yes, it fixes it. Thanks.

comment:13 Changed 4 weeks ago by gk

Resolution: fixed
Status: needs_informationclosed

Thanks. I bumped Noscript to 11.0.8 (commit a750c9303469cd524c9091bbebca95a7905de912 and a8066f0972088860ac44ebb66da5b3c036f47135 on tor-browser-build's master and maint-9.0).

Note: See TracTickets for help on using tickets.