Tails

#1 Updated by intrigeri 2019-04-03 09:38:49

• Assignee changed from intrigeri to mercedes508
• QA Check set to Info Needed

> When setting Tor Browser security slide to High in Tails,

I’ll assume you mean “Safest”.

I did this, both in Tails 3.13.1 and with Tor Browser 8.0.8 on Debian sid:

1. Start Tor Browser.
2. Click the Onion icon → Security settings → Safest
3. Open https://riseup.net

In both cases I see the same NoScript icon. I’ll attach a screenshot.

> NoScript icon differs from the one of Tor Browser on another OS in the same condition:

Please provide screenshots so I can see what icon you get.

> The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser (unless you’ve tweaked your Tor Browser to use add-ons from the system, which might explain the results you’re seeing).

#2 Updated by intrigeri 2019-04-03 09:39:56

• File Screenshot from 2019-04-03 11-36-49.png added

#4 Updated by mercedes508 2019-04-03 13:24:08

• Assignee changed from mercedes508 to intrigeri

#5 Updated by intrigeri 2019-04-04 06:26:30

• Subject changed from NoScript icon when security slide set to high indicates some JS are allowed to NoScript icon when security slider set to Safest indicates some JS are allowed

#6 Updated by intrigeri 2019-04-04 06:27:54

• Status changed from New to Confirmed
• QA Check deleted (Info Needed)

mercedes508 wrote:
> When looking at your screenshot, the NoScript icons next to the url bar are different, right? That’s what I’m talking about.

Gotcha!

#8 Updated by intrigeri 2019-05-02 17:06:10

• Subject changed from NoScript icon when security slider set to Safest indicates some JS are allowed to TorButton and/or NoScript are not fully set up on first Tor Browser launch

OK, I can reproduce this except if I quit Tor Browser and start it again. Interestingly:

• The first instance has no Tor circuits display, no HTTPS Everywhere icon (known since Feature #15023), and this different NoScript icon.
• The second instance has working Tor circuits display, displays a HTTPS Everywhere icon, and no myController-related error in the logs.

So I believe that either Torbutton, or NoScript, or their communication channel, is not fully working on first start of Tor Browser in Tails. This would explain both the missing circuits display and the fact the “Safest” security level is not fully taken into account (if at all). IIRC, in August/September, gecko and maone implemented some workarounds to fix a related race condition that affected only Tails (https://trac.torproject.org/projects/tor/ticket/26520). I remember I tested them during our summit. Looks like we still have a problem :/

This looks related to Bug #15777 (https://trac.torproject.org/projects/tor/ticket/23359).

#9 Updated by intrigeri 2019-05-02 17:06:55

• Description updated

#10 Updated by intrigeri 2019-05-02 17:12:35

• blocks Feature #16209: Core work: Foundations Team added

#12 Updated by intrigeri 2019-05-02 17:14:01

• Priority changed from Normal to Elevated
• Target version deleted (Tails_3.14)

(I doubt I’ll have time to do that by 3.14; making this ticket pop up high enough on the FT’s radar.)

#13 Updated by intrigeri 2019-05-02 17:14:23

• Subject changed from TorButton and/or NoScript are not fully set up on first Tor Browser launch to TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider
• Assignee deleted (intrigeri)

#14 Updated by segfault 2019-06-06 13:53:00

• Assignee set to segfault

#15 Updated by segfault 2019-06-06 14:42:55

• Assignee deleted (segfault)

I can’t reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.

I can reproduce the issue that the HTTPS everywhere icon is not displayed and the NoScript icon is different on 3.13.2. But both icons are never displayed in 3.14.

#19 Updated by segfault 2019-07-10 18:32:23

• Status changed from Confirmed to Resolved

intrigeri wrote:
> > I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.
>
> Most of what the security slider does is setting prefs, so I think it would be good enough to check that a few of these prefs are set as expected; let’s assume here that Firefox honors these prefs correctly.

Finally managed to do this. Took me a while to find the code responsible for this, because I expected that it changes firefox preferences (i.e. the ones editable via about:config). But that doesn’t seem to be case - just FTR (maybe someone finds this when we have to check stuff like that again): NoScript is controlled via WebExtension messages, the code is in src/modules/noscript-control.js in torbutton.git.

I verified that, in Tails 3.14, when I change the security slider to “Safer” or “Safest”, the NoScript settings are changed according to the values defined in src/modules/noscript-control.js.

#21 Updated by intrigeri 2019-09-07 09:17:10

• related to Bug #17007: JavaScript sometimes blocked on Tor Browser first start ⇒ "Watching a WebM video over HTTPS" and "Playing an Ogg audio track" scenarios are fragile: blocked by NoScript click-to-play added