Opened 12 months ago

Last modified 7 months ago

#32492 new defect

Unexpected NoScript behavior when security level is pinned using user.js

Reported by: kj Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript, TorBrowserTeam202004
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


If a Tor Browser user attempts to pin the security level using user.js (see below), Tor Browser will launch with the pinned security level, but NoScript will not respect that choice and instead retain its previous behavior. For example, if the user attempts to pin the security level to "Safest" using user.js, closes Tor Browser with the security level set to "Safer" and then re-launches Tor Browser, NoScript will behave as though the security setting is "Safer", blocking non-HTTPS JavaScript but allowing HTTPS JavaScript to run.

This behavior is potentially dangerous because the user will believe all Tor Browser security features will follow the user's pinned choice and the user will see the shield icon appearance according to their chosen pinned security level, but NoScript may behave differently. For example, NoScript may run JavaScript without the user's knowledge if the user pins the security level to "Safest".

Reproduced in:

  • Tor Browser 9.0 and 9.0.1 (the first affected version is unknown)
  • NoScript 11.0.8 (the first affected version is unknown)
  • Debian 9 (stretch)

How to reproduce:

  • user.js allows pinning of Tor Browser (Firefox) parameters upon launch.
  1. Create user.js in: <tor-browser-top>/Browser/TorBrowser/Data/Browser/profile.default/
  2. Pin the security level to "Safest". Add the line: user_pref("extensions.torbutton.security_slider", 1);
  3. Launch Tor Browser, change the security level from "Safest" to something different, then close Tor Browser.
  4. Launch Tor Browser again, and confirm the security level is set to "Safest".
  5. Access a website that requires JavaScript to work properly.
  6. Confirm whether or not JavaScript is running.

Child Tickets

Change History (9)

comment:1 Changed 12 months ago by pili

Cc: ma1 added

comment:2 Changed 12 months ago by ma1

I strongly suspect that the Tor Browser sends NoScript its custom configuration message only in an observer for preferences changes, rather than on every startup, unless extensions.torbutton.noscript_inited is false.
Therefore changing the preference from user.js, which doesn't trigger the preference observer, doesn't affect NoScript (and possibly other stuff?)
Possible fix (if the diagnosis is correct): always call the preference observer on startup.

comment:3 Changed 12 months ago by pili

Keywords: TorBrowserTeam201912 added

Thanks for your comments ma1 we'll try to look into this further next month

comment:4 Changed 11 months ago by kj

I experienced this issue even without pinning the security level:

  1. I launched Tor Browser. The security level was at "Safer" (the last used level).
  2. I changed the security level from "Safer" to "Safest".
  3. I fetched some websites.
  4. I see that JavaScript is running on all of them.
  5. NoScript options has a per-site permission "http:" (blocking non-HTTPS JavaScript).

I can't give further details at this stage because I wasn't performing a test and it's the first time I experienced this issue with security level pinning.

comment:5 Changed 10 months ago by sysrqb

Keywords: TorBrowserTeam202001 added; TorBrowserTeam201912 removed

comment:6 Changed 9 months ago by Thorin

Keywords: noscript added

comment:7 Changed 9 months ago by pili

Keywords: TorBrowserTeam202002 added; TorBrowserTeam202001 removed

Moving tickets to February

comment:8 Changed 8 months ago by pili

Keywords: TorBrowserTeam202003 added; TorBrowserTeam202002 removed

We are no longer in February, moving tickets

comment:9 Changed 7 months ago by pili

Keywords: TorBrowserTeam202004 added; TorBrowserTeam202003 removed

We are no longer in March

Note: See TracTickets for help on using tickets.