[tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
--+--
 Reporter:  mikeperry |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:  tbb-security
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 It would be wise to set javascript.enabled to false in about:config at the
 high security level, in addition to having NoScript disable scripting for
 us. This should be an easy change, and there is no reason to exclusively
 depend on NoScript. NoScript could miss something, especially if the e10s
 transition caused a lot of upheaval.

 (Similarly, Firefox could miss something, since javascript.enabled is no
 longer a UI-exposed pref, so we should do both, for defense in depth.)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
--+--
 Reporter:  mikeperry |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 And get "Temporarily allow all this page" broken?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
+--
 Reporter:  mikeperry   |  Owner:  tbb-team
 Type:  enhancement | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201706  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * keywords:  tbb-security => tbb-security, TorBrowserTeam201706


Comment:

 Good idea.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
+--
 Reporter:  mikeperry   |  Owner:  tbb-team
 Type:  enhancement | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201707  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by gk):

 Replying to [comment:1 cypherpunks]:
 > And get "Temporarily allow all this page" broken?

 Yes, the easy change, just adding `javascript.enabled` to the slider and
 have it set to `false` on the highest level does not work pretty well with
 temporarily allowing JavaScript.

 What we could do, though, is trying to bind `javascript.enabled` to the
 slider mode AND temporary NoScript permissions: if there are no websites
 where JavaScript is temporarily allowed AND the slider is on the highest
 level then `javascript.enabled` is set to `false`. Otherwise it is set to
 `true`. One of the downsides with this approach, though, is that the state
 of a global pref (`javascript.enabled`) can now depend on domain-wide
 decisions (i.e. allowing JavaScript on particular domains only). That's
 confusing but might be okay, given that allowing scripts on the highest
 security level is not recommended anyway.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, tbb-security-slider,   |  Actual Points:
  TorBrowserTeam201708   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by cypherpunks):

 * keywords:  tbb-security, TorBrowserTeam201707 => tbb-security, tbb-
 security-slider, TorBrowserTeam201708


Comment:

 Replying to [comment:2 gk]:
 > Good idea.
 Yours is better.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, tbb-security-slider,   |  Actual Points:
  TorBrowserTeam201708   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Given ticket:23258#comment:22, #23399, #18592 and
 https://bugzilla.mozilla.org/show_bug.cgi?id=971650, this idea doesn't
 look so good. It was discussed in #1811.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22699 [Applications/Tor Browser]: Use browser pref for javascript at High Security Level

[Tor Bug Tracker & Wiki]

#22699: Use browser pref for javascript at High Security Level
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  closed
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, tbb-security-slider,   |  duplicate
  TorBrowserTeam201708   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by sysrqb):

 * status:  new => closed
 * resolution:   => duplicate


Comment:

 We did this in #33613. Given we landed a patch under that ticket, i'll
 close this as a dupe of that. However, it isn't a good solution.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs