Opened 8 years ago

Closed 5 years ago

#3976 closed defect (duplicate)

Unnecessary white listed web sites for NoScript(?)

Reported by: joyton Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: jcrimby@…, mikeperry, ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The following web sites are listed under Noscript white list, I think I understand why addons.mozilla.org and googleapis.com are listed, but I wonder if the others should _not_ be listed by default.

addons.mozilla.org

googleapis.com

gstatic.com

paypal.com

paypalobjects.com

wlxrs.com

Child Tickets

Change History (12)

comment:1 Changed 8 years ago by mikeperry

Component: Tor BrowserTor bundles/installation
Milestone: TorBrowserBundle 2.2.x-stable
Owner: changed from mikeperry to erinn

Right. We should remove pretty much everything but addons.mozilla.org. If you disable Js, you should really be disabling JS, except in cases where it causes you to fail to authenticate code and software updates.

comment:2 Changed 8 years ago by Sebastian

Status: newneeds_review

bug3976 in my repo

comment:3 Changed 8 years ago by cypherpunks

You may safely remove about:blank and about:credits, too. I have absolutely no idea why they're whitelisted - about:credits loads https://www.mozilla.org/credits/ and doesn't use any scripts whatsoever. about:blank shouldn't load any scripts either, I have always removed it from the whitelist and never had any problems. It looks like a weird backdoor :D

comment:4 Changed 8 years ago by Sebastian

Cc: mikeperry added

Mike, do you foresee any problems when we also remove the about:* stuff? noscript claims we "better" keep them enabled to keep firefox happy, but... do we really?

comment:5 in reply to:  4 Changed 8 years ago by mikeperry

Replying to Sebastian:

Mike, do you foresee any problems when we also remove the about:* stuff? noscript claims we "better" keep them enabled to keep firefox happy, but... do we really?

Pretty sure that disabling scripting on about:blank will break JS-driven popup windows and AJAX sites that want to create a blank frame and then populate it.

I'd guess that they are whitelisted because of Firefox API weirdness. Say you whitelist mail.google.com, for example. If and when that thing decides to do AJAX into blank frames (with 'about:blank' urls), those frames could be blocked. This is all just a guess, though.

But, on the other hand, I think that what we're trying to provide with NoScript is a way to *really* disable all scripts, or *really* enable them. I think the in between modes of whitelisting can be confusing and something we'd like to actually hide from the default UI if we could..

comment:6 Changed 8 years ago by Sebastian

I'm still a bit unclear what the implications are for the patch I made. Is it enough, or should it be extended?

comment:7 Changed 8 years ago by mikeperry

Sebastian: Your branch looks fine to me. I don't have a strong opinion on about:blank. I suspect removing it will make people who actually use the whitelist feature unhappy when whitelisting stuff like mail.google.com doesn't work for them.

So I think it's best to just merge your branch as-is, with about:blank still present.

However, if Mr. Cypherpunks wants to try whitelisting various websites with about:blank disabled and see if any break, that would be useful input.

comment:8 Changed 8 years ago by cypherpunks

So far, Mr. Cypherpunks has reported the useless about:credits entry to NoScript people and it's removed as of v2.3.9, so you may want to adjust your patch accordingly. See http://forums.informaction.com/viewtopic.php?f=7&t=8390 for more info.

comment:9 Changed 8 years ago by cypherpunks

NoScript 2.3.9 with about:credits removed from the whitelist is out, see http://noscript.net/changelog

Btw, as a test I've set noscript.mandatory to an empty string and removed EVERYTHING from the whitelist. I can't see any regressions at all, for example I can still update my extensions from about:addons, error pages (about:neterror) still show as expected, I can still change my settings in about:config, etc. I recommend this lifestyle.

comment:10 Changed 8 years ago by mikeperry

Cc: ma1 added

Giorgio now has an account on our bugtracker. Perhaps he can comment on the about:blank, about:certerror, and other about urls in the whitelist.

comment:11 in reply to:  10 Changed 8 years ago by ma1

Replying to mikeperry:

Giorgio now has an account on our bugtracker. Perhaps he can comment on the about:blank, about:certerror, and other about urls in the whitelist.

about:credits was whitelisted when it was a local popup with a scroller of the major contributors, which depended on JavaScript for its animation.

Now that it's just a remote scriptless web page it's useless, and it has been removed indeed.

about:blank is needed by some edge cases, included one which would prevent bookmarklets from being emulated on scriptless pages.

Many about:xyz URLs don't need to be whitelisted to run scripts because they're flagged as "trusted" by their protocol handler implementation and bypass CAPS: those are in the mandatory whitelist to prevent confusion in the user, because JavaScript just cannot be disabled there (and the mandatory whitelist reflect this on the UX level).

comment:12 Changed 5 years ago by gk

Milestone: TorBrowserBundle 2.2.x-stable
Resolution: duplicate
Status: needs_reviewclosed

This issue got at least fixed by #10464. Thus, closing it as a duplicate.

Note: See TracTickets for help on using tickets.