subject:"\[tor\-bugs\] #31798 \[Applications\/Tor Browser\]\: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser"

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-22 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
--+--
 Reporter:  adrelanos |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 Possibly related to #31580.

 It's also worth noting that `xss/Exceptions.js` contains exceptions for
 some websites like youtube too. `lib/restricted.js` looks like it contains
 exceptions for a few mozilla domains and `chrome.google.com`. It links to
 https://bugzilla.mozilla.org/show_bug.cgi?id=1415644

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-20 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
--+--
 Reporter:  adrelanos |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by adrelanos):

 Replying to [comment:3 adrelanos]:
 > noscript [feature request] environment variable to clear default
 whitelist
 >
 > https://forums.informaction.com/viewtopic.php?f=10=25743

 Got answer:

 > Sorry but there is currently no way for a WebExtension to read
 environment variables.

 

 Replying to [comment:2 gk]:
 > Meanwhile it would be helpful to understand why those issues only happen
 in Whonix so far and get some steps to reproduce.

 It's not 100% reproducible yet.

 I've been using Tor Browser 8.5.5. I've enabled git version control for
 the Tor Browser folder so I can easily simulate a first start of Tor
 Browser using {{{git clean -dff ; git reset --hard ; git status}}}.

 On Debian buster.

 Create folder {{{/usr/share/homepage/whonix-welcome-page}}}.

 {{{
 sudo mkdir -p /usr/share/homepage/whonix-welcome-page
 }}}

 Open file {{{/usr/share/homepage/whonix-welcome-page/whonix.html}}} with
 root rights.

 {{{
 sudoedit /usr/share/homepage/whonix-welcome-page/whonix.html
 }}}

 Paste.

 {{{
 
 }}}

 Save.

 Start Tor Browser.

 {{{
 TOR_NO_DISPLAY_NETWORK_SETTINGS=1 TOR_SKIP_LAUNCH=1 ./start-tor-
 browser.desktop /usr/share/homepage/whonix-welcome-page/whonix.html
 }}}

 Tor Browser menu -> addons -> noscript -> preferences -> per site
 permissions

 You'll see noscript's default permissive websites enabled.

 

 What I can say with more certainty what helps to avoid triggering this bug
 is:

 * not using a local browser start page
 * not passing a local browser start page as command line parameter
 * not setting environment variable {{{TOR_DEFAULT_HOMEPAGE}}}

 

 Previously in Whonix I managed to nail down setting
 {{{TOR_SKIP_CONTROLPORTTEST=1}}} to trigger the bug vs {{{unset
 TOR_SKIP_CONTROLPORTTEST}}} to avoid the bug.

 

 Too many environment variables causing this?

 Could be a race condition in noscript?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-19 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
--+--
 Reporter:  adrelanos |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by toholdaquill):

 The use case for enabling per-site permissions via NoScript in Tor Browser
 is as follows.

 Let's say you visit twitter.com. You want to enable twitter.com and
 twimg.com, but not google-analytics.com. Using the Tor security slider,
 this level of fine-grained permissions is not possible.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-19 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
--+--
 Reporter:  adrelanos |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by adrelanos):

 noscript [feature request] environment variable to clear default whitelist

 https://forums.informaction.com/viewtopic.php?f=10=25743

 Maybe someone could submit a patch to noscript?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-19 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
--+--
 Reporter:  adrelanos |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 We won't consider this unless we ship an own version of NoScript which is
 currently not planned for the near future. We might even think about
 integrating just the security-settings related feature in the browser
 itself. Not sure yet. Meanwhile it would be helpful to understand why
 those issues only happen in Whonix so far and get some steps to reproduce.

 We deliberately took the NoScript button off the toolbar to make it harder
 for users to shoot themselves into the foot. Not sure what Whonix does but
 you it's highly recommended to do the same.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-19 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
--+--
 Reporter:  adrelanos |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 you messed with noscript; now you're fckd?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

2019-09-19 Thread Tor Bug Tracker & Wiki

#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
---+--
 Reporter:  adrelanos  |  Owner:  tbb-team
 Type:  defect | Status:  new
 Priority:  Medium |  Component:  Applications/Tor Browser
  Version: |   Severity:  Normal
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--
 Noscript, file

 {{{
 {73a6fe31-595d-460b-a920-fcc0f8843232}
 }}}

 full path

 {{{
 tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser-
 extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232}
 }}}

 when extracted contains file

 {{{
 common/Policy.js
 }}}

 which contains a list of websites.

 {{{
 addons.mozilla.org
 afx.ms ajax.aspnetcdn.com
 ajax.googleapis.com bootstrapcdn.com
 code.jquery.com firstdata.com firstdata.lv gfx.ms
 google.com googlevideo.com gstatic.com
 hotmail.com live.com live.net
 maps.googleapis.com mozilla.net
 netflix.com nflxext.com nflximg.com nflxvideo.net
 noscript.net
 outlook.com passport.com passport.net passportimages.com
 paypal.com paypalobjects.com
 securecode.com securesuite.net sfx.ms tinymce.cachefly.net
 wlxrs.com
 yahoo.com yahooapis.com
 yimg.com youtube.com ytimg.com
 }}}

 Related source code:

 {{{
   function defaultOptions() {
 return {
   sites:{
 trusted
 }}}

 File

 {{{
 legacy/defaults.js
 }}}

 is similar.

 Under [https://forums.whonix.org/t/noscript-with-security-slider-at-
 safest-permits-around-30-sites/8160 conditions] which are not clear to be
 yet how to reproduce this can lead to white listing these websites in
 noscript even though Tor Browser security slider is set to maximum.

 It's arguable if addons.mozilla.org should be whitelisted by default (I
 won't argue about it) but for sure netflix, paypal, youtube and others
 don't deserve special treatment by Tor Browser. Obvious tracking and
 security risk.

 Looks like pressing the reset button in noscript also results in setting
 these websites to trusted by default in noscript.

 Therefore, please kindly consider to remove that whitelist from noscript.

 Additional suggestions:

 * Have a unit test that greps the source code for (these) websites so
 these aren't reintroduced in later (noscript) add-on versions.
 * Report to upstream (noscript).

 Related:

 https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-
 zendcdn-net/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Re: [tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

[tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

7 matches

Site Navigation

Mail list logo

Footer information