Bug #16613
TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider
0%
Description
Current set of problems
See Bug #16613#note-8.
Initial problem statement
Hi,
When setting Tor Browser security slide to High in Tails, NoScript icon differs from the one of Tor Browser on another OS in the same condition:
- In Tails the icon supposedly means: scripts are allowed for the top-level (main) document, but some other active content or script sources imported by this page are not allowed yet. This happens when there are multiple frames, or script elements linking code hosted on 3rd party hosts.
- In non-Tails the icon means: this means that scripts and plugin contents are blocked for the current site and its subframes. Even if some of the 3rd party script sources imported by the page may be in your whitelist, no code could run because the hosting documents are not enabled.
The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).
So the question are: why is NoScript behavior different? Is the icon consistent with its behavior?
Thanks
Files
Subtasks
Related issues
Related to Tails - Bug #17007: JavaScript sometimes blocked on Tor Browser first start ⇒ "Watching a WebM video over HTTPS" and "Playing an Ogg audio track" scenarios are fragile: blocked by NoScript click-to-play | Confirmed | ||
Blocks Tails - Feature #16209: Core work: Foundations Team | Confirmed |
History
#1 Updated by intrigeri 2019-04-03 09:38:49
- Assignee changed from intrigeri to mercedes508
- QA Check set to Info Needed
> When setting Tor Browser security slide to High in Tails,
I’ll assume you mean “Safest”.
I did this, both in Tails 3.13.1 and with Tor Browser 8.0.8 on Debian sid:
- Start Tor Browser.
- Click the Onion icon → Security settings → Safest
- Open https://riseup.net
In both cases I see the same NoScript icon. I’ll attach a screenshot.
> NoScript icon differs from the one of Tor Browser on another OS in the same condition:
Please provide screenshots so I can see what icon you get.
> The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).
Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser (unless you’ve tweaked your Tor Browser to use add-ons from the system, which might explain the results you’re seeing).
#2 Updated by intrigeri 2019-04-03 09:39:56
- File Screenshot from 2019-04-03 11-36-49.png added
#3 Updated by mercedes508 2019-04-03 13:19:39
Hi,
Sure I meant safest by high.
When looking at your screenshot, the NoScript icons next to the url bar are different, right? That’s what I’m talking about.
#4 Updated by mercedes508 2019-04-03 13:24:08
- Assignee changed from mercedes508 to intrigeri
#5 Updated by intrigeri 2019-04-04 06:26:30
- Subject changed from NoScript icon when security slide set to high indicates some JS are allowed to NoScript icon when security slider set to Safest indicates some JS are allowed
#6 Updated by intrigeri 2019-04-04 06:27:54
- Status changed from New to Confirmed
- QA Check deleted (
Info Needed)
mercedes508 wrote:
> When looking at your screenshot, the NoScript icons next to the url bar are different, right? That’s what I’m talking about.
Gotcha!
#7 Updated by intrigeri 2019-05-02 16:44:52
intrigeri wrote:
> > The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).
>
> Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser
I was wrong: Tor Browser allows automatic updates for some add-ons such as NoScript, while Tails disables that (pref("extensions.update.enabled", false)
). So for example, after starting Tor Browser 8.0.8 in Tails 3.13.1 and outside of Tails, both had 10.2.4; and a few minutes later, the Tor Browser running outside of Tails had silently been upgraded to 10.6.1.
#8 Updated by intrigeri 2019-05-02 17:06:10
- Subject changed from NoScript icon when security slider set to Safest indicates some JS are allowed to TorButton and/or NoScript are not fully set up on first Tor Browser launch
OK, I can reproduce this except if I quit Tor Browser and start it again. Interestingly:
- The first instance has no Tor circuits display, no HTTPS Everywhere icon (known since
Feature #15023), and this different NoScript icon. - The second instance has working Tor circuits display, displays a HTTPS Everywhere icon, and no
myController
-related error in the logs.
So I believe that either Torbutton, or NoScript, or their communication channel, is not fully working on first start of Tor Browser in Tails. This would explain both the missing circuits display and the fact the “Safest” security level is not fully taken into account (if at all). IIRC, in August/September, gecko and maone implemented some workarounds to fix a related race condition that affected only Tails (https://trac.torproject.org/projects/tor/ticket/26520). I remember I tested them during our summit. Looks like we still have a problem :/
This looks related to Bug #15777 (https://trac.torproject.org/projects/tor/ticket/23359).
#9 Updated by intrigeri 2019-05-02 17:06:55
- Description updated
#10 Updated by intrigeri 2019-05-02 17:12:35
- blocks Feature #16209: Core work: Foundations Team added
#11 Updated by intrigeri 2019-05-02 17:13:18
Next steps: test with Tor Browser 8.5 (just in case — I doubt it’ll fix this problem); then gather enough data and report this upstream.
#12 Updated by intrigeri 2019-05-02 17:14:01
- Priority changed from Normal to Elevated
- Target version deleted (
Tails_3.14)
(I doubt I’ll have time to do that by 3.14; making this ticket pop up high enough on the FT’s radar.)
#13 Updated by intrigeri 2019-05-02 17:14:23
- Subject changed from TorButton and/or NoScript are not fully set up on first Tor Browser launch to TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider
- Assignee deleted (
intrigeri)
#14 Updated by segfault 2019-06-06 13:53:00
- Assignee set to segfault
#15 Updated by segfault 2019-06-06 14:42:55
- Assignee deleted (
segfault)
I can’t reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.
I can reproduce the issue that the HTTPS everywhere icon is not displayed and the NoScript icon is different on 3.13.2. But both icons are never displayed in 3.14.
#16 Updated by intrigeri 2019-06-07 09:47:44
segfault wrote:
> I can’t reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.
@segfault, so next step is: check if the security level change is effective in Tails 3.14. Better not rely on NoScript (or the presence of its icon) for that, but instead check that whatever content is supposed to be blocked, is actually blocked. Makes sense?
> I can reproduce the issue that the HTTPS everywhere icon is not displayed and the NoScript icon is different on 3.13.2. But both icons are never displayed in 3.14.
Indeed, that’s expected as of Tor Browser 8.5 (Bug #16746).
#17 Updated by segfault 2019-06-16 15:22:41
intrigeri wrote:
> segfault wrote:
> > I can’t reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.
>
> @segfault, so next step is: check if the security level change is effective in Tails 3.14. Better not rely on NoScript (or the presence of its icon) for that, but instead check that whatever content is supposed to be blocked, is actually blocked. Makes sense?
Makes sense, but is harder than expected. According to https://tb-manual.torproject.org/security-slider, the safest setting has these effects:
> HTML5 video and audio media become click-to-play via NoScript; all JavaScript performance optimizations are disabled; some mathematical equations may not display properly; some font rendering features are disabled; some types of image are disabled; Javascript is disabled by default on all sites; most video and audio formats are disabled; and some fonts and icons may not display correctly.
I tested that JavaScript is disabled and HTML5 videos don’t play automatically (I couldn’t find a website which played HTML5 videos at all at this security setting, probably because “most video and audio formats are disabled”).
I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.
#18 Updated by intrigeri 2019-06-17 16:07:32
> Makes sense, but is harder than expected. According to https://tb-manual.torproject.org/security-slider, the safest setting has these effects:
>> HTML5 video and audio media become click-to-play via NoScript; all JavaScript performance optimizations are disabled; some mathematical equations may not display properly; some font rendering features are disabled; some types of image are disabled; Javascript is disabled by default on all sites; most video and audio formats are disabled; and some fonts and icons may not display correctly.
> I tested that JavaScript is disabled and HTML5 videos don’t play automatically (I couldn’t find a website which played HTML5 videos at all at this security setting, probably because “most video and audio formats are disabled”).
Great.
> I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.
Most of what the security slider does is setting prefs, so I think it would be good enough to check that a few of these prefs are set as expected; let’s assume here that Firefox honors these prefs correctly.
#19 Updated by segfault 2019-07-10 18:32:23
- Status changed from Confirmed to Resolved
intrigeri wrote:
> > I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.
>
> Most of what the security slider does is setting prefs, so I think it would be good enough to check that a few of these prefs are set as expected; let’s assume here that Firefox honors these prefs correctly.
Finally managed to do this. Took me a while to find the code responsible for this, because I expected that it changes firefox preferences (i.e. the ones editable via about:config). But that doesn’t seem to be case - just FTR (maybe someone finds this when we have to check stuff like that again): NoScript is controlled via WebExtension messages, the code is in src/modules/noscript-control.js
in torbutton.git.
I verified that, in Tails 3.14, when I change the security slider to “Safer” or “Safest”, the NoScript settings are changed according to the values defined in src/modules/noscript-control.js
.
#20 Updated by intrigeri 2019-07-11 19:12:15
> I verified that, in Tails 3.14, when I change the security slider to “Safer” or “Safest”, the NoScript settings are changed according to the values defined in src/modules/noscript-control.js
.
Great! :)
#21 Updated by intrigeri 2019-09-07 09:17:10
- related to Bug #17007: JavaScript sometimes blocked on Tor Browser first start ⇒ "Watching a WebM video over HTTPS" and "Playing an Ogg audio track" scenarios are fragile: blocked by NoScript click-to-play added