Re: [tor-bugs] #17917 [Applications/Tor Browser]: Changelog after update is empty if JS is disabled

[Tor Bug Tracker & Wiki]

#17917: Changelog after update is empty if JS is disabled
+
 Reporter:  gk  |  Owner:  mcs
 Type:  defect  | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  tbb-5.5, TorBrowserTeam201601R  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+

Comment (by bugzilla):

 Replying to [comment:27 ma1]:
 > Replying to [comment:26 bugzilla]:
 > > is there any hope that TBB-related tickets like
 
https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~noscript
 gain more priority? Thx.
 >
 > Yes, definitely, but no matter how disappointed you are for me
 prioritizing "Mozilla's bells and whistles", if NoScript doesn't comply
 first of all with Firefox's roadmap, which is already phasing out not-e10s
 compatible extensions, and then is going after legacy add-ons (i.e. all
 those which are not WebExtensions) there will be no NoScript to be fixed
 at all...
 Well, it seems you were frightened by Mozilla. Look how TBB Team solved
 that in #17248:
 > This is done and Mozilla should be aware of our needs by now.
 One sentence was removed from my message, but it had sense: it's a
 Mozilla's responsibility to port (or make it trivial to port)
 security/popular add-ons to their bells and whistles, and yours - only to
 review that. You can show them this message. But the main thought is that
 this activity shouldn't stall the security-related development.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17917 [Applications/Tor Browser]: Changelog after update is empty if JS is disabled

[Tor Bug Tracker & Wiki]

#17917: Changelog after update is empty if JS is disabled
+
 Reporter:  gk  |  Owner:  mcs
 Type:  defect  | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  tbb-5.5, TorBrowserTeam201601R  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+

Comment (by ma1):

 Replying to [comment:26 bugzilla]:
 > is there any hope that TBB-related tickets like
 
https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~noscript
 gain more priority? Thx.

 Yes, definitely, but no matter how disappointed you are for me
 prioritizing "Mozilla's bells and whistles", if NoScript doesn't comply
 first of all with Firefox's roadmap, which is already phasing out not-e10s
 compatible extensions, and then is going after legacy add-ons (i.e. all
 those which are not WebExtensions) there will be no NoScript to be fixed
 at all...

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17917 [Applications/Tor Browser]: Changelog after update is empty if JS is disabled

[Tor Bug Tracker & Wiki]

#17917: Changelog after update is empty if JS is disabled
+
 Reporter:  gk  |  Owner:  mcs
 Type:  defect  | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  tbb-5.5, TorBrowserTeam201601R  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+

Comment (by bugzilla):

 Replying to [comment:25 ma1]:
 Hmm, your reply is disappointing. Instead of putting security first, you
 preferred to fight with Mozilla's bells and whistles (e10s full
 compatibility and WebExtensions migration) that were buggy as hell and
 continued to be a crap until ESR52 definitely (maybe, they are payable for
 and that's the case). You haven't answered my emails to giorgio at
 maone.net, but I ask here: is there any hope that TBB-related tickets like
 
https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~noscript
 gain more priority? Thx.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17917 [Applications/Tor Browser]: Changelog after update is empty if JS is disabled

[Tor Bug Tracker & Wiki]

#17917: Changelog after update is empty if JS is disabled
+
 Reporter:  gk  |  Owner:  mcs
 Type:  defect  | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  tbb-5.5, TorBrowserTeam201601R  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+

Comment (by ma1):

 Replying to [comment:24 bugzilla]:
 > Replying to [comment:16 mcs]:
 > > Maybe NoScript's behavior was modified at some point and we need to
 list the full URL for each about:... page. Should I ask Giorgio Maone?
 > You really should. Because about:cache is broken the same way, and who
 knows what else.

 At a certain point Mozilla phased out CAPS, which was the original
 declarative subsystem which NoScript relied upon for script blocking, and
 which automatically "knew" about internal about:xyz URIs marked as
 privileged, leaving them alone even if they were not whitelisted. In that
 context, an about URI not matching NoScript's whitelist was still capable
 of running scripts ''if privileged'' (e.g. about:addons), causing only a
 cosmetic UI mismatch (you would see it as forbidden in NoScript's UI while
 it worked anyway).
 Once CAPS has been removed, I had to switch to a completely different
 script-blocking approach, which programmatically checks each page's URL
 just before HTML parsing (and therefore script execution) starts and set
 "script blocked" flag at the window level. This flag is not overridden by
 "privileged" about: URIs, therefore if they're not whitelisted in NoScript
 they won't run scripts.
 From then on, whatever the UI says is in sync with the actual page status,
 but on the other hand if Mozilla adds new about: pages which require
 scripts (or starts requiring scripts for an existent about: page which
 could previously work without) it either needs to be manually whitelisted
 or, since we generally trust privileged browser code, it's preferably
 added to noscript.mandatory. Which, as you noticed, is not always up to
 date.
 As soon as I'm done with my current top priorities (e10s full
 compatibility and WebExtensions migration) I'll try to figure out a way to
 automatically keep in sync privileged about: URIs, if possible.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17917 [Applications/Tor Browser]: Changelog after update is empty if JS is disabled

[Tor Bug Tracker & Wiki]

#17917: Changelog after update is empty if JS is disabled
+
 Reporter:  gk  |  Owner:  mcs
 Type:  defect  | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  tbb-5.5, TorBrowserTeam201601R  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+

Comment (by bugzilla):

 Replying to [comment:16 mcs]:
 > I do not know a lot about NoScript, but the default value for that pref
 is:
 >  chrome: blob: mediasource: moz-safe-about: about: about:addons
 about:blocked about:crashes about:home about:config about:neterror
 about:certerror about:memory about:plugins about:preferences
 about:privatebrowsing about:sessionrestore about:support resource:
 about:srcdoc
 > Maybe NoScript's behavior was modified at some point and we need to list
 the full URL for each about:... page. Should I ask Giorgio Maone?
 You really should. Because about:cache is broken the same way, and who
 knows what else.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs