Javascript Execution with NoScript Bypass

The bug is upstream in Firefox 68esr. It is tracked by Bug 1621996.

added TorBrowserTeam202004 component::applications/tor browser owner::tbb-team priority::very high severity::normal status::needs-information type::defect labels

For review: https://gitweb.torproject.org/user/sysrqb/torbutton.git/log/?h=bug33613_00

and backport: https://gitweb.torproject.org/user/sysrqb/torbutton.git/log/?h=bug33613_9.0_00

Trac:
Status: new to needs_review

Looks good to me!

Trac:
Status: needs_review to merge_ready

Okay, these were both merged onto their respective branches.

Trac:
Status: merge_ready to needs_information
Keywords: N/A deleted, TorBrowserTeam202003 added

We are no longer in March

Trac:
Keywords: TorBrowserTeam202003 deleted, TorBrowserTeam202004 added

This ticket looks like a big deal, since it is linked from the 9.0.7 blog post https://blog.torproject.org/new-release-tor-browser-907 with the text "Bug 33613: Disable Javascript on Safest security level"

So: is it actually in state 'needs_information', or was that a mistake in comment:3?

And: Can we give it a title more helpful than "811786"? :)

Thanks!

The patches above disabled javascript execution, as a safe guard. The original NoScript migration for this Firefox bug was incomplete. We believe the current mitigation in NoScript successfully avoids the bug, but I want to give enough time for more people to poke at it before thinking about relying on NoScript completely for blocking javascript execution on the Safest security level.

Trac:
Summary: 811786 to Javascript Execution with NoScript Bypass
Description: Placeholder.

to

The bug is upstream in Firefox 68esr. It is tracked by Bug 1621996.

mentioned in issue #33879 (moved)

moved to tpo/applications/tor-browser#33613 (closed)

mentioned in issue tpo/applications/tor-browser#33879 (closed)