Issues with about:blank and NoScript on .onion sites
Tor Browser: 9.0.1 (based on Mozilla Firefox 68.2.0esr) (64-bit) (Linux)
NoScript displays the following weird behavior on *.onion sites when the home page is changed from its default "about:tor" to "about:blank":
- Impossible to forbid scripts on the Standard security level
- Impossible to allow scripts on the Safest security level by setting TRUSTED/Temp. or TRUSTED/Custom. Scripts can only be enabled by disabling restrictions for this tab or disabling restrictions globally.
The first issue misleads the user about actual security settings, the second breaks functionality on sites. We suspect that other functions or extensions of the browser may be broken when "about:tor" is replaced with "about:blank" as the default home page.
These issues do not affect clearnet sites and local files. They are also absent if the default home page is changed do some URL or any other special page like "about:logo" or "about:library".
These issues were absent in versions 8.5.* and 9.0
How to reproduce:
Preferences => Home => Homepage and new windows => Blank Page
Restart browser
Open one of these URL to demonstrate:
Try to disallow scripts Standard or allow on Safest
Example HTML/JS code:
<pre>
<html lang="en">
<head>
<title>Tor Browser 9.0.1 NoScript bug demonstration</title>
<meta name="description" content="Tor Browser 9.0.1 NoScript bug demonstration" />
</head>
<body>
<div id="center-link">
<script>document.write("<span style='color:red; font-weight: bold'>Java Script works</span>")</script>
<noscript><span style='color:green'>Java Script doesn't work</span></noscript>
</div>
</body>
</html>
</pre>Trac:
Username: pf.team
Activity
Sorry, the "Restart browser" step must be before the demonstration step
I edited it for you
Trac:
Description: Tor Browser: 9.0.1 (based on Mozilla Firefox 68.2.0esr) (64-bit) (Linux)NoScript displays the following weird behavior on *.onion sites when the home page is changed from its default "about:tor" to "about:blank":
- Impossible to forbid scripts on the Standard security level
- Impossible to allow scripts on the Safest security level by setting TRUSTED/Temp. or TRUSTED/Custom. Scripts can only be enabled by disabling restrictions for this tab or disabling restrictions globally.
The first issue misleads the user about actual security settings, the second breaks functionality on sites. We suspect that other functions or extensions of the browser may be broken when "about:tor" is replaced with "about:blank" as the default home page.
These issues do not affect clearnet sites and local files. They are also absent if the default home page is changed do some URL or any other special page like "about:logo" or "about:library".
These issues were absent in versions 8.5.* and 9.0
How to reproduce:
Preferences => Home => Homepage and new windows => Blank Page
Open one of these URL to demonstrate:
** http://mysecret7rirx6ip.onion/test-js.html ** http://mysecretvrujzo2k.onion/test-js.html
Restart browser
Try to disallow scripts Standard or allow on Safest
Example HTML/JS code:
Tor Browser 9.0.1 NoScript bug demonstration<noscript><span style='color:green'>Java Script doesn't work</span></noscript> </div> </body>to
Tor Browser: 9.0.1 (based on Mozilla Firefox 68.2.0esr) (64-bit) (Linux)
NoScript displays the following weird behavior on *.onion sites when the home page is changed from its default "about:tor" to "about:blank":
- Impossible to forbid scripts on the Standard security level
- Impossible to allow scripts on the Safest security level by setting TRUSTED/Temp. or TRUSTED/Custom. Scripts can only be enabled by disabling restrictions for this tab or disabling restrictions globally.
The first issue misleads the user about actual security settings, the second breaks functionality on sites. We suspect that other functions or extensions of the browser may be broken when "about:tor" is replaced with "about:blank" as the default home page.
These issues do not affect clearnet sites and local files. They are also absent if the default home page is changed do some URL or any other special page like "about:logo" or "about:library".
These issues were absent in versions 8.5.* and 9.0
How to reproduce:
Preferences => Home => Homepage and new windows => Blank Page
Restart browser
Open one of these URL to demonstrate:
Try to disallow scripts Standard or allow on Safest
Example HTML/JS code:
<pre> <html lang="en"> <head> <title>Tor Browser 9.0.1 NoScript bug demonstration</title> <meta name="description" content="Tor Browser 9.0.1 NoScript bug demonstration" /> </head> <body> <div id="center-link"> <script>document.write("<span style='color:red; font-weight: bold'>Java Script works</span>")</script> <noscript><span style='color:green'>Java Script doesn't work</span></noscript> </div> </body> </html> </pre>mentioned in issue #32786 (moved)
mentioned in issue tpo/applications/tor-browser#32786 (closed)
