Feature #7127

Evaluate Tor Browser's new JavaScript security enhancements

Added by anonym 2014-04-27 13:36:32 . Updated 2014-07-19 14:55:47 .

Status:
Resolved
Priority:
Normal
Assignee:
anonym
Category:
Target version:
Tails_1.1
Start date:
2014-04-27
Due date:
% Done:

0%

Feature Branch:
Type of work:
Wait
Blueprint:

Starter:
0
Affected tool:
Browser
Deliverable for:

Description

We did not import commit 7febc36b4c770dec084def2696bd0f956ef9442f (“Add security enhancements suggested by Jesse Ruderman.”) into our Iceweasel 24.5.0esr build since they hadn’t been tested much in the wild at the time of building and so may introduce subtle regressions, which would be a shame for the Tails 1.0 release. This should be re-evaluated in time for Tails 1.1.

This change is already live in Tor Browser 3.6-beta-2, and will be in the stable 3.5.5 release AFAICT, so we should ask Mike Perry or the other TBB people how it all went.

Subtasks

History

#1 Updated by intrigeri 2014-04-28 16:48:50

  • Subject changed from Evaluate Tor Browser's new JS security enhancements to Evaluate Tor Browser's new JavaScript security enhancements

#2 Updated by intrigeri 2014-05-12 03:25:05

  • Type of work changed from Research to Wait

Let’s wait for the TBB team’s plans on https://trac.torproject.org/projects/tor/ticket/9387.

#3 Updated by intrigeri 2014-05-12 03:31:07

  • Assignee set to anonym

That’s related to building our browser, so putting it on the RM’s plate.

#4 Updated by anonym 2014-05-30 04:10:13

These settings are present in our 24.5.0esr-1+tails1~bpo70+1. However, they severely degrades JavaScript performance to the point where the TBB people are considering a revert.

#5 Updated by anonym 2014-06-08 05:02:48

It’s gonna be in TBB 3.6.2, although it was moved from its dedicated commit into the general “Tor Browser’s Firefox preference overrides” one. I say we keep these settings for now then, and ship them in Tails 1.0.1. Perhaps we should still keep this ticket around with the Tails_1.1 milestone so we track the progress on this front a bit more, since there’s still no final decision really on the upstream ticket.

#6 Updated by intrigeri 2014-06-08 05:13:49

Agreed!

#7 Updated by intrigeri 2014-06-10 11:01:59

For the record: these new JS settings are now set in Tails 1.0.1, and in current testing/devel branch (Feature #7379).

#8 Updated by intrigeri 2014-07-14 11:18:40

  • Status changed from Confirmed to Resolved

We’ve included these changes in Tails 1.0.1, and received very little complains, so I say we have no reason to deviate from the Tor Browser’s settings here. If they decide to keep it, we’ll keep it. If they drop it, we’ll drop it as well.

#9 Updated by intrigeri 2014-07-19 14:55:47

The Tor Browser team is revisiting this decision: https://trac.torproject.org/projects/tor/ticket/12653