Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  noscript, tbb-usability, ff52-esr,   |  Actual Points:
  TorBrowserTeam201704R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:11 gk]:

 > That one fixes the issue, thanks. Closing this ticket. The next NoScript
 update will contain the fix I guess.

 It does. 5.0.3 stable is published on AMO now, thanks for reporting this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  noscript, tbb-usability, ff52-esr,   |  Actual Points:
  TorBrowserTeam201704R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * priority:  Very High => Medium
 * severity:  Critical => Normal


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:  fixed
 Keywords:  noscript, tbb-usability, ff52-esr,   |  Actual Points:
  TorBrowserTeam201704R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  noscript, tbb-usability-website, ff52-esr,
 TorBrowserTeam201704R => noscript, tbb-usability, ff52-esr,
 TorBrowserTeam201704R


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:  fixed
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr, TorBrowserTeam201704R|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:4 ma1]:
 > Please check 5.0.3rc5 from https://noscript.net/getit#devel
 > Thanks!

 That one fixes the issue, thanks. Closing this ticket. The next NoScript
 update will contain the fix I guess.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr, TorBrowserTeam201704R|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Replying to [comment:9 ma1]:
 > Replying to [comment:8 cypherpunks]:
 >
 > > Didn't you guess? ;-)
 > > From your URL it failed with [...]
 > > From AMO - works.
 >
 > No, I didn't and couldn't guess: those XPI files are identical (I
 sinchronize them as soon as they're signed by AMO) and they both install
 fine on a stable Firefox. Weird.
 Well, it was 'Temporary load add-on for debugging' feature :)
 > But, can you verify the bug reported here is fixed?
 Hmm, how to say? Testing revealed:
 1. https://check.torproject.org/?lang=en_US now is loading forever with no
 success (e10s), or there is OCSP failure (non-e10s).
 2. reloading youtube after high->medium gives no svg, etc (not noscript-
 related?), second reloading works.
 3. video is behind placeholder which allows video/mse, after clicking,
 reloading leads to error on video, because audio/mse is blocked (but no
 placeholder).
 4. seems it was ad video, because after enabling audio/mse from menu,
 there is an error again, because video/mse was blocked (but no placeholder
 again).
 5. strong feeling that that's not all ;)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr, TorBrowserTeam201704R|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:8 cypherpunks]:

 > Didn't you guess? ;-)
 > From your URL it failed with [...]
 > From AMO - works.

 No, I didn't and couldn't guess: those XPI files are identical (I
 sinchronize them as soon as they're signed by AMO) and they both install
 fine on a stable Firefox. Weird.

 But, can you verify the bug reported here is fixed?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr, TorBrowserTeam201704R|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Replying to [comment:7 ma1]:
 > Replying to [comment:5 cypherpunks]:
 > > 16:02:59.098 Error: Only restartless (bootstrap) add-ons can be
 installed from sources:
 > > Stack trace:
 > >
 
this.XPIProvider.installAddonFromLocation<@resource://gre/modules/addons/XPIProvider.jsm:4151:13
 >
 > Where are you installing the XPI from? Did you try from the URL I
 provided you with, or from AMO ( https://addons.mozilla.org/en-
 US/firefox/addon/noscript/versions/beta )?
 Didn't you guess? ;-)
 From your URL it failed with
 {{{
 1492633619500   addons.xpi  WARNDownload of
 https://secure.informaction.com/download/betas/noscript-5.0.3rc5.xpi
 failed: [Exception... "Certificate issuer is not built-in."  nsresult:
 "0x80004004 (NS_ERROR_ABORT)"  location: "JS frame ::
 resource://gre/modules/CertUtils.jsm :: checkCert :: line 171"  data: no]
 Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:171 <
 onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:6547
 }}}
 From AMO - works.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr, TorBrowserTeam201704R|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:5 cypherpunks]:
 > 16:02:59.098 Error: Only restartless (bootstrap) add-ons can be
 installed from sources:
 > Stack trace:
 >
 
this.XPIProvider.installAddonFromLocation<@resource://gre/modules/addons/XPIProvider.jsm:4151:13

 Where are you installing the XPI from? Did you try from the URL I provided
 you with, or from AMO ( https://addons.mozilla.org/en-
 US/firefox/addon/noscript/versions/beta )?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr, TorBrowserTeam201704R|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  noscript, tbb-usability-website, ff52-esr => noscript, tbb-
 usability-website, ff52-esr, TorBrowserTeam201704R


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 16:02:59.098 Error: Only restartless (bootstrap) add-ons can be installed
 from sources:
 Stack trace:
 
this.XPIProvider.installAddonFromLocation<@resource://gre/modules/addons/XPIProvider.jsm:4151:13
 TaskImpl_run@resource://gre/modules/Task.jsm:319:42
 Handler.prototype.process@resource://gre/modules/Promise.jsm ->
 resource://gre/modules/Promise-backend.js:932:23
 this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm ->
 resource://gre/modules/Promise-backend.js:813:7
 this.PromiseWalker.scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm
 -> resource://gre/modules/Promise-backend.js:747:11
  1 controls.js:63:9
 loadAddonFromFile/<
 resource://devtools/client/aboutdebugging/components/addons/controls.js:63:9
 Handler.prototype.process resource://gre/modules/Promise-
 backend.js:935:21
 this.PromiseWalker.walkerLoop resource://gre/modules/Promise-
 backend.js:813:7
 this.PromiseWalker.scheduleWalkerLoop/< resource://gre/modules
 /Promise-backend.js:747:11

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by ma1):

 * status:  new => needs_review


Comment:

 Please check 5.0.3rc5 from https://noscript.net/getit#devel
 Thanks!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 It is a UI-only bug. The scripts are blocked or allowed according to the
 HTTPS status as designed, because the checks happen in the content
 process.
 Unfortunately the UI-side, living in the parent process, cannot touch the
 DOM window. Nevertheless, we've got the URL available, so a work-around is
 on its way :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Working on it, thanks.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Critical | Resolution:
 Keywords:  noscript, tbb-usability-website, |  Actual Points:
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by cypherpunks):

 * priority:  Medium => Very High
 * severity:  Normal => Critical


Comment:

 And
 {{{
 [04-17 20:04:10] Torbutton NOTE: Failed to update NoScript status for
 security setings: TypeError: win is null
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #21923 [Applications/Tor Browser]: Allowing only HTTPS JavaScript on the medium security slider level is broken

[Tor Bug Tracker & Wiki]

#21923: Allowing only HTTPS JavaScript on the medium security slider level is
broken
-+-
 Reporter:  gk   |  Owner:  tbb-team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor |Version:
  Browser|   Keywords:  noscript, tbb-
 Severity:  Normal   |  usability-website, ff52-esr
Actual Points:   |  Parent ID:
   Points:   |   Reviewer:
  Sponsor:   |
-+-
 In
 {{{
 isGlobalHttps: function(win, /*optional */ s) {
 let allow = false;
 if (s && !this._isHttpsAndNotUntrusted(s)) return false;

 for (;; win = win.parent) {
   let site =
 this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
   if (!(allow = s && site === s || this._isHttpsAndNotUntrusted(site))
 || win === win.parent)
 break;
   s = site;
 }

 return allow;
   },
 }}}
 {{{
 let site =
 this.getSite(this.getPrincipalOrigin(this.getPrincipal(win.document)));
 }}}
 breaks as `win` is `null`.

 This happens on a Tor Browser nightly with e10s enabled and based on ESR52
 (tested on Linux 64 bits). The result is that the NoScript icon does not
 get updated anymore and I guess all JS is disabled (I have not verified
 that).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs