Opened 3 months ago

Last modified 2 months ago

#34144 needs_information defect

user.js is ignored after Tor (part) starts

Reported by: davidnewcomb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Steps to reproduce:

1)
create file Browser/TorBrowser/Data/Browser/profile.default/user.js with contents:

blank 1st line
user_pref("javascript.enabled", false);
user_pref("app.update.auto", false);

2)
Start Tor and wait for Tor connection pop up.

3)
Make sure user.js was included:
$ grep -e app.update.auto -e javascript.enabled Browser/TorBrowser/Data/Browser/profile.default/prefs.js
user_pref("app.update.auto", false);
user_pref("javascript.enabled", false);

4)
Click "Connect" to and wait for browser to start

5)
Check prefs.js again, and javascript.enabled is gone
$ grep -e app.update.auto -e javascript.enabled Browser/TorBrowser/Data/Browser/profile.default/prefs.js
user_pref("app.update.auto", false);

Expected behaviour:
According to Firefox documentation user.js may override any preference. There's a warning that plugins that ignore this won't pass certification.
After Tor has finished playing with the configuration it must apply the user.js again.
With the current setup there doesn't seem to be a way to start the Tor browser with javascript.enabled set to false and allow the user to change it to true if that want.

Background:
We are running Tor inside docker, so constantly downloading updates until we can update the docker image seems like unnecessary waste of precious onion bandwidth.

With app.update.auto set to false, we get a pop up which says there is a new version available so we can update in our own time.

With the current setup there doesn't seem to be a way to start the Tor browser with javascript.enabled set to false and allow the user to change it to true if that want.

Child Tickets

Change History (1)

comment:1 Changed 2 months ago by gk

Component: ApplicationsApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

I suspect the security settings interfere with that in some way. There are two knobs you could try for the JavaScript part:

1) extensions.torbutton.security_slider set to 1 right from the beginning should give you the highest security mode that contains disabling the preference in question. That is the recommended way of achieving your goal.

2) Setting extensions.torbutton.security_custom to true and then disabling JavaScript as you tried might work as well.

If neither of those two options works for you this is a bug we should look closer at.

Note: See TracTickets for help on using tickets.