Opened 8 months ago

Last modified 7 months ago

#33613 needs_information defect

Javascript Execution with NoScript Bypass

Reported by: sysrqb Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam202004
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by sysrqb)

The bug is upstream in Firefox 68esr. It is tracked by Bug 1621996.

Child Tickets

Change History (6)

comment:2 Changed 8 months ago by pospeselr

Status: needs_reviewmerge_ready

Looks good to me!

comment:3 Changed 8 months ago by sysrqb

Keywords: TorBrowserTeam202003 added
Status: merge_readyneeds_information

Okay, these were both merged onto their respective branches.

comment:4 Changed 7 months ago by pili

Keywords: TorBrowserTeam202004 added; TorBrowserTeam202003 removed

We are no longer in March

comment:5 Changed 7 months ago by arma

This ticket looks like a big deal, since it is linked from the 9.0.7 blog post
https://blog.torproject.org/new-release-tor-browser-907
with the text "Bug 33613: Disable Javascript on Safest security level"

So: is it actually in state 'needs_information', or was that a mistake in comment:3?

And: Can we give it a title more helpful than "811786"? :)

Thanks!

comment:6 Changed 7 months ago by sysrqb

Description: modified (diff)
Summary: 811786Javascript Execution with NoScript Bypass

The patches above disabled javascript execution, as a safe guard. The original NoScript migration for this Firefox bug was incomplete. We believe the current mitigation in NoScript successfully avoids the bug, but I want to give enough time for more people to poke at it before thinking about relying on NoScript completely for blocking javascript execution on the Safest security level.

Note: See TracTickets for help on using tickets.