Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-disk-leak, tbb-newnym,   |  Actual Points:
  noscript, TorBrowserTeam202006 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-disk-leak, tbb-newnym, noscript => tbb-disk-leak, tbb-
 newnym, noscript, TorBrowserTeam202006
 * status:  needs_information => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:13 ma1]:
 > After some thinking I've decided that the new Incognito-restricted UI is
 a very good idea for Firefox and Chromium users in PBM. It's neutral for
 vanilla Tor Browser users (who can't see it by default anyway), and it's
 likely annoying for users who took the pain of restoring the NoScript
 button and checking the "''Override Tor Browser's Security Level preset''"
 option for the sole purpose of customizing their permissions and having
 them survive sessions.
 >
 > Therefore https://github.com/hackademix/noscript/releases/tag/11.0.27rc6
 disables non-temporary presets in the popup UI for all PBM users except
 those who choose to "have it their way" (with ''Override Tor Browser
 etc.''), while click to play permissions (the scope of this bug) are
 always made temporary for all PBM and Tor Browser window (but can be
 turned into permanent from the ''Per-site Permissions'' UI).

 Great, thanks. A quick test of the latest NoScript (11.0.30) shows that
 this bug is fixed. Yay!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 OK, after some thinking I've decided that the new Incognito-restricted UI
 is a very good idea for Firefox and Chromium users in PBM. It's neutral
 for vanilla Tor Browser users (who can't see it by default anyway), and
 it's likely annoying for users who took the pain of restoring the NoScript
 button and checking the "''Override Tor Browser's Security Level preset''"
 option for the sole purpose of customizing their permissions and having
 them survive sessions.

 Therefore rc6 disables non-temporary presets in the popup UI for all PBM
 users except those who choose to "have it their way" (with ''Override Tor
 Browser etc.''), while click to play permissions (the scope of this bug)
 are always made temporary for all PBM and Tor Browser window (but can be
 turned into permanent from the ''Per-site Permissions'' UI).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Just to be clear, 11.0.27 in PBM tabs/windows does the following:

 1. Disables any contextual widget (in tab-originated the popups) leading
 to give permanent permissions (and therefore URLs to persisted on the
 disk): therefore you can only set Temp. TRUSTED or Temp. CUSTOM (neither
 TRUSTED, UNTRUSTED or permanent CUSTOM) unless that was the setting when
 the UI popup has been opened
 2. When unblocking a media element, the permission is always marked as
 temporary and never persisted to the disk.

 Of course you can still turn the temporary permissions to permanent from
 the "Per-site preferences" options panel, if you really want to.

 I'm not sure whether 1 is too strict for people who intentionally checked
 "override Tor Browser security policies", since this would erase any
 permission customization on browser restarts (as all Tor Browser windows
 are incognito, right?), but it seemed a transparent middle-way to help
 them not to shoot themselves in the foot. What do you think?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 OK, in the end I managed to squeeze it into 11.0.27rc5 (I'm about to
 submit 11.0.27 "stable" to AMO), because it felt just too important to
 wait anymore.

 Please check
 https://github.com/hackademix/noscript/releases/tag/11.0.27rc5

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:9 gk]:

 > Thanks (i guess you mean 11.0.27, right? ;)). I think binding it to Tor
 Browser might not be the best option.

 Sorry, that's 11.0.28 (as 11.0.27 is shipping today) and PBM on any
 browser, rather than just Tor Browser, you're right (not enough coffee
 this morning).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:8 ma1]:
 > Replying to [comment:5 gk]:
 > > Okay, thanks for those steps that helped me a lot. Giorgio: given that
 this violates assumptions about Private Browsing Mode (PBM) usage (There
 should not be leaked any information about web browsing to disk in that
 mode let alone possibly problematic URLs) is there a way for NoScript to
 actually adhere to the PBM rules the user/Tor Browser has intentionally
 enabled? Like saving the exceptions in memory and only there if in PBM? It
 seems to me there is no reason to save them to disk in that case.
 >
 > Yes, it can be done. I'll need to flag all permissions as temporary
 (maybe if not explicitly overridden by the user some way, e.g. via an
 option in the confirmation dialog) for sessions where the Tor Browser is
 detected as the host.
 >
 > I will put this in 11.0.25.

 Thanks (i guess you mean 11.0.27, right? ;)). I think binding it to Tor
 Browser might not be the best option. It seems to me the PMB/non-PBM
 distinction is important here. I doubt Firefox users in PBM expect their
 site exceptions to be written to disk either given their conscious choice
 to enable PBM in the first place. Thus, respecting *that* distinction
 seems more important than Tor Browser/non-Tor Browser AND it fits better
 to the mental model (Tor) Browser users have.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by ma1):

 Replying to [comment:5 gk]:
 > Okay, thanks for those steps that helped me a lot. Giorgio: given that
 this violates assumptions about Private Browsing Mode (PBM) usage (There
 should not be leaked any information about web browsing to disk in that
 mode let alone possibly problematic URLs) is there a way for NoScript to
 actually adhere to the PBM rules the user/Tor Browser has intentionally
 enabled? Like saving the exceptions in memory and only there if in PBM? It
 seems to me there is no reason to save them to disk in that case.

 Yes, it can be done. I'll need to flag all permissions as temporary (maybe
 if not explicitly overridden by the user some way, e.g. via an option in
 the confirmation dialog) for sessions where the Tor Browser is detected as
 the host.

 I will put this in 11.0.25.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: m1 (removed)
 * cc: ma1 (added)


Comment:

 Ha, I added the wrong handle to Cc :(. ma1: see my idea in comment:5 for
 this issue. Not sure if that's something doable, though.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 This bug needs more attention now that **click-to-play was made DEFAULT in
 Tor Browser 9.0**.  On all three security levels, plugins.click_to_play =
 true.  I noticed it was enabled because I had to click "play" on every
 YouTube video.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
-+-
 Reporter:  catalyst |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym, noscript  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: m1 (added)
 * keywords:  tbb-disk-leak, tbb-newnym => tbb-disk-leak, tbb-newnym,
   noscript


Comment:

 Okay, thanks for those steps that helped me a lot. Giorgio: given that
 this violates assumptions about Private Browsing Mode (PBM) usage (There
 should not be leaked any information about web browsing to disk in that
 mode let alone possibly problematic URLs) is there a way for NoScript to
 actually adhere to the PBM rules the user/Tor Browser has intentionally
 enabled? Like saving the exceptions in memory and only there if in PBM? It
 seems to me there is no reason to save them to disk in that case.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
---+---
 Reporter:  catalyst   |  Owner:  tbb-team
 Type:  defect | Status:  needs_information
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---

Comment (by cypherpunks):

 Here is *exactly* what I did to confirm it:

 1. Deleted Tor Browser directory

 2. Installed fresh Tor Browser 8.0.8

 3. Changed security slider to "Safer"

 4. Navigated to
 
https://upload.wikimedia.org/wikipedia/commons/transcoded/2/22/Volcano_Lava_Sample.webm/Volcano_Lava_Sample.webm.360p.vp9.webm

 5. Clicked to play

 6. Looked at NoScript settings page and confirmed it was whitelisted

 7. Restarted browser

 Before step 5, I looked at the sqlite in an online sqlite viewer and it
 said the collection_name was default/{73a6fe31-595d-
 460b-a920-fcc0f8843232}, the record_id was key-policy, and the record was
 this:

 {{{
 {"id":"key-
 
policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame","font"],"temp":false},"sites":{"trusted":[],"untrusted":["http:"],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}
 }}}

 After step 7 I looked at the same record, and now it was this:

 {{{
 {"id":"key-
 
policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame","font"],"temp":false},"sites":{"trusted":[],"untrusted":["http:"],"custom":{"https://upload.wikimedia.org/wikipedia/commons/transcoded/2/22/Volcano_Lava_Sample.webm/Volcano_Lava_Sample.webm.360p.vp9.webm":{"capabilities":["fetch","font","frame","object","other","script","webgl","media"],"temp":false}}},"enforced":true,"autoAllowTop":false},"_status":"created"}
 }}}

 That sqlite file is stored on the disk.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
---+---
 Reporter:  catalyst   |  Owner:  tbb-team
 Type:  defect | Status:  needs_information
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---

Comment (by cypherpunks):

 In the file called storage-sync.sqlite (in profile.default) I have this
 text copied from Notepad (example and not everything in the .sqlite file,
 just the relevant part):

 {{{
 
["fetch","font","frame","object","other","script","webgl","media"],"temp":false},"https://upload.wikimedia.org/wikipedia/commons/transcoded/0/0a/Comparing_CMEs.ogv/Comparing_CMEs.ogv.480p.vp9.webm":{"capabilities":["fetch","font","frame","object","other","script","webgl","media"],"temp":false}}},"enforced":true,"autoAllowTop":false},"_status":"created"}‚';i
 ƒedefault/{73a6fe31-595d-460b-a920-fcc0f8843232}key-sync{"id":"key-
 
sync","key":"sync","data":{"global":false,"xss":true,"cascadeRestrictions":true,"xssScanRequestBody":false,"xssBlockUnscannedPOST":true,"overrideTorBrowserPolicy":false,"clearclick":true,"storage":"sync"},"_status":"created"}
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
---+---
 Reporter:  catalyst   |  Owner:  tbb-team
 Type:  defect | Status:  needs_information
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---

Comment (by cypherpunks):

 Replying to [comment:1 gk]:
 > I tried to reproduce both issues but failed with a clean Tor Browser
 8.0.8 on Windows 7. So, I wonder what goes wrong on the user's computer.
 Maybe some extra tools installed are interfering?

 I just tried this on my own Windows 7 computer with browser 8.0.8 and it
 *does* persist for me. I went to Wikipedia with the slider set to "Safer"
 and viewed some videos that were click-to-play. After restarting Tor
 Browser and checking the NoScript settings "per-site permissions", the
 whitelisted URLs are being shown like this one:

 >
 
https://upload.wikimedia.org/wikipedia/commons/transcoded/0/0a/Comparing_CMEs.ogv/Comparing_CMEs.ogv.480p.vp9.webm

 I restarted Tor Browser with New Identity, and I closed and re-opened it,
 and I rebooted my computer, so I can *confirm* that this is an issue!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29957 [Applications/Tor Browser]: clicking on "click to play" media leaks URLs via NoScript on-disk preferences

[Tor Bug Tracker & Wiki]

#29957: clicking on "click to play" media leaks URLs via NoScript on-disk
preferences
---+---
 Reporter:  catalyst   |  Owner:  tbb-team
 Type:  defect | Status:  needs_information
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  tbb-disk-leak, tbb-newnym  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---
Changes (by gk):

 * keywords:  tbb-disk-leak, newnym => tbb-disk-leak, tbb-newnym
 * status:  new => needs_information


Comment:

 I tried to reproduce both issues but failed with a clean Tor Browser 8.0.8
 on Windows 7. So, I wonder what goes wrong on the user's computer. Maybe
 some extra tools installed are interfering?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs