Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  TorBrowserTeam201906,|  Actual Points:
  GeorgKoppen201906, noscript|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 Thanks, fixed in `tor-browser-build` with commit
 07961f94a1d956c33c1d0448b6e5f69df6b03ea4 (on `master`) and
 26a5d9739b7e0d30f03da46b316ac15546e79eef (on `maint-8.5`).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201906,|  Actual Points:
  GeorgKoppen201906, noscript|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  TorBrowserTeam201906, GeorgKoppen201906 =>
 TorBrowserTeam201906, GeorgKoppen201906, noscript


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Replying to [comment:10 ma1]:
 > Sadly, it looks like my first asynchronous work around attempt is not
 doing as good as it could, because apparently the resistFingerprinting
 clamping of Date.now() affects not just web content but WebExtensions too,
 causing the CPU to be relinquished every 100ms (which is the artificially
 imposed resolution), rather than 10ms as intended, therefore making long-
 running checks 10 times more sluggish than they should :(
 @gk: You should probably raise this with Mozilla, WebExt have now their
 own process in moz-central so it should theoretically be easy to let
 resistFingerprinting conquer almost everything except the WebExt process.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: acat (added)


Comment:

 #30754 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:11 ma1]:
 > Replying to [comment:10 ma1]:
 > > Replying to [comment:8 gk]:
 > > > . While I can't reproduce on https://zeit.de anymore
 https://www.sravni.ru/kredity/na-100-rublej/ still freezes my browser
 (or makes it extremely sluggish) with 10.6.3rc3 (that's 9.0a1).
 > > Trying something else, stay tuned...
 > >
 > Please check
 https://github.com/hackademix/noscript/releases/tag/10.6.3rc4

 That seems to work for me, thanks!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:10 ma1]:
 > Replying to [comment:8 gk]:
 > > . While I can't reproduce on https://zeit.de anymore
 https://www.sravni.ru/kredity/na-100-rublej/ still freezes my browser
 (or makes it extremely sluggish) with 10.6.3rc3 (that's 9.0a1). Disabling
 NoScript's XSS feature gets back a smooth experience.
 >
 > Sadly, it looks like my first asynchronous work around attempt is not
 doing as good as it could, because apparently the resistFingerprinting
 clamping of Date.now() affects not just web content but WebExtensions too,

 That's a bug I think. I opened #30655 for that.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:10 ma1]:
 > Replying to [comment:8 gk]:
 > > . While I can't reproduce on https://zeit.de anymore
 https://www.sravni.ru/kredity/na-100-rublej/ still freezes my browser
 (or makes it extremely sluggish) with 10.6.3rc3 (that's 9.0a1).
 > Trying something else, stay tuned...
 >
 Please check https://github.com/hackademix/noscript/releases/tag/10.6.3rc4
 Thanks!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:8 gk]:
 > . While I can't reproduce on https://zeit.de anymore
 https://www.sravni.ru/kredity/na-100-rublej/ still freezes my browser
 (or makes it extremely sluggish) with 10.6.3rc3 (that's 9.0a1). Disabling
 NoScript's XSS feature gets back a smooth experience.

 Sadly, it looks like my first asynchronous work around attempt is not
 doing as good as it could, because apparently the resistFingerprinting
 clamping of Date.now() affects not just web content but WebExtensions too,
 causing the CPU to be relinquished every 100ms (which is the artificially
 imposed resolution), rather than 10ms as intended, therefore making long-
 running checks 10 times more sluggish than they should :(

 Trying something else, stay tuned...

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:5 cypherpunks]:
 > Replying to [comment:4 ma1]:
 > > Replying to [comment:3 cypherpunks]:
 > > > ma1, if you just try to search the correct pref, you can get what
 you want:
 
https://trac.torproject.org/projects/tor/search?q=extensions.webextensions.remote
 > >
 > > No, the info was not there.
 > Oh, you mean the absence of other tickets is not the obvious proof for
 you. Then only https://gitweb.torproject.org/tor-
 browser.git/tree/browser/app/profile/firefox.js?h=tor-
 browser-60.7.0esr-9.0-1#n78
 > > However I've installed 9.0a1,
 > o_0 Hey folks! Maone installed TB!
 > > and extensions.webextensions.remote is still false like in 8.5.
 > Trust no one.
 > > The proposed fix should work either way, though.
 > Did you test that in TB?

 Please keep the tone civilized. It's quite embarrassing to see someone
 being so rude. That#s not welcome here.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:7 ma1]:
 > Please check
 https://github.com/hackademix/noscript/releases/tag/10.6.3rc3
 >
 > This should prevent any freeze, even on the heaviest payload.
 > Tested on 8.5 and 9.0a1.

 Not for me. While I can't reproduce on https://zeit.de anymore
 https://www.sravni.ru/kredity/na-100-rublej/ still freezes my browser
 (or makes it extremely sluggish) with 10.6.3rc3 (that's 9.0a1). Disabling
 NoScript's XSS feature gets back a smooth experience.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Please check https://github.com/hackademix/noscript/releases/tag/10.6.3rc3

 This should prevent any freeze, even on the heaviest payload.
 Tested on 8.5 and 9.0a1.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:5 cypherpunks]:

 > > The proposed fix should work either way, though.
 > Did you test that in TB?

 No I couldn't, I'm sorry: I was paralyzed in awe of the grace and the
 usefulness of your comments.
 Not nearly as useful, and maybe exceedingly mundane, but would you by
 chance have also any patch (or idea for a fix) to contribute?
 Thanks.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Replying to [comment:4 ma1]:
 > Replying to [comment:3 cypherpunks]:
 > > ma1, if you just try to search the correct pref, you can get what you
 want:
 
https://trac.torproject.org/projects/tor/search?q=extensions.webextensions.remote
 >
 > No, the info was not there.
 Oh, you mean the absence of other tickets is not the obvious proof for
 you. Then only https://gitweb.torproject.org/tor-
 browser.git/tree/browser/app/profile/firefox.js?h=tor-
 browser-60.7.0esr-9.0-1#n78
 > However I've installed 9.0a1,
 o_0 Hey folks! Maone installed TB!
 > and extensions.webextensions.remote is still false like in 8.5.
 Trust no one.
 > The proposed fix should work either way, though.
 Did you test that in TB?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:3 cypherpunks]:
 > ma1, if you just try to search the correct pref, you can get what you
 want:
 
https://trac.torproject.org/projects/tor/search?q=extensions.webextensions.remote

 No, the info was not there. However I've installed 9.0a1, and
 extensions.webextensions.remote is still false like in 8.5.
 The proposed fix should work either way, though.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 ma1, if you just try to search the correct pref, you can get what you
 want:
 
https://trac.torproject.org/projects/tor/search?q=extensions.webextensions.remote

 Also see #29043.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 NVM, I managed to reproduce. It freezes the browser for a few seconds on
 8.5 (where browser.webextensions.remote is false) while the firefox.real
 process gets 100% CPU.
 What's more annoying, it appears to affect more than just the browser on
 my Ubuntu box if I turn browser.webextensions.remote to true, which is
 counterintuitive (the extension should be doing its thing in its own
 process while the facebook HTTP subrequest is suspended) but might be due
 to some kind of IPC bug: this time nothing really freeze, but again for a
 few seconds other application become sluggish as well while a
 WebExtensions process takes 100% CPU.
 Do Tor Browser 9.0 have browser.webextensions.remote set to false or true?
 Either way, since it's already executed asyncronously, I wanna try
 breaking the main InjectionChecker loop into time-capped chunks (e.g.
 100ms max) which give the CPU back periodically on these very costly to
 analyze payload, and possibly (but it might not be necessary) move the
 whole in a dedicated worker.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30624 [Applications/Tor Browser]: Disable NoScript's XSS protection to avoid the whole computer freezing

[Tor Bug Tracker & Wiki]

#30624: Disable NoScript's XSS protection to avoid the whole computer freezing
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  TorBrowserTeam201905,|  Actual Points:
  GeorgKoppen201905  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 I doubt it's the same defect, or even similar, as the implementation of
 the filter has radically changed with WebExtensions, and now it runs
 asynchronously in its own process and shouldn't be able to block the
 browser, let alone the whole computer.
 Could you please provide me steps to reproduce reliably?
 Is it Tor Browser specific or does it affect Firefox too.
 Might it be related to the pseudo-modal warning dialog (which must go away
 anyway anyway, with the UI redesign), rather than the filter itself?
 Thanks.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs