Opened 4 weeks ago

Last modified 7 days ago

#32492 new defect

Unexpected NoScript behavior when security level is pinned using user.js

Reported by: kj Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201912
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If a Tor Browser user attempts to pin the security level using user.js (see below), Tor Browser will launch with the pinned security level, but NoScript will not respect that choice and instead retain its previous behavior. For example, if the user attempts to pin the security level to "Safest" using user.js, closes Tor Browser with the security level set to "Safer" and then re-launches Tor Browser, NoScript will behave as though the security setting is "Safer", blocking non-HTTPS JavaScript but allowing HTTPS JavaScript to run.

This behavior is potentially dangerous because the user will believe all Tor Browser security features will follow the user's pinned choice and the user will see the shield icon appearance according to their chosen pinned security level, but NoScript may behave differently. For example, NoScript may run JavaScript without the user's knowledge if the user pins the security level to "Safest".

Reproduced in:

  • Tor Browser 9.0 and 9.0.1 (the first affected version is unknown)
  • NoScript 11.0.8 (the first affected version is unknown)
  • Debian 9 (stretch)

How to reproduce:

  • user.js allows pinning of Tor Browser (Firefox) parameters upon launch.
  1. Create user.js in: <tor-browser-top>/Browser/TorBrowser/Data/Browser/profile.default/
  2. Pin the security level to "Safest". Add the line: user_pref("extensions.torbutton.security_slider", 1);
  3. Launch Tor Browser, change the security level from "Safest" to something different, then close Tor Browser.
  4. Launch Tor Browser again, and confirm the security level is set to "Safest".
  5. Access a website that requires JavaScript to work properly.
  6. Confirm whether or not JavaScript is running.

Child Tickets

Change History (4)

comment:1 Changed 4 weeks ago by pili

Cc: ma1 added

comment:2 Changed 4 weeks ago by ma1

I strongly suspect that the Tor Browser sends NoScript its custom configuration message only in an observer for preferences changes, rather than on every startup, unless extensions.torbutton.noscript_inited is false.
Therefore changing the preference from user.js, which doesn't trigger the preference observer, doesn't affect NoScript (and possibly other stuff?)
Possible fix (if the diagnosis is correct): always call the preference observer on startup.

comment:3 Changed 4 weeks ago by pili

Keywords: TorBrowserTeam201912 added

Thanks for your comments ma1 we'll try to look into this further next month

comment:4 Changed 7 days ago by kj

I experienced this issue even without pinning the security level:

  1. I launched Tor Browser. The security level was at "Safer" (the last used level).
  2. I changed the security level from "Safer" to "Safest".
  3. I fetched some websites.
  4. I see that JavaScript is running on all of them.
  5. NoScript options has a per-site permission "http:" (blocking non-HTTPS JavaScript).

I can't give further details at this stage because I wasn't performing a test and it's the first time I experienced this issue with security level pinning.

Note: See TracTickets for help on using tickets.