#34305: NoScript inconsistent behaviour in Firefox 77 (currently beta) ------------------------------------------+---------------------- Reporter: acat | Owner: tbb-team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Keywords: noscript Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | ------------------------------------------+---------------------- While working on fixing the testsuite (#27105) I ran into some inconsistent blocking behaviour of NoScript in a Tor Browser WIP build based on Firefox 77 beta.
Basically, the issue is that with Tor Browser `Safer` NoScript configuration when visiting a `http:` page (containing a https: iframe) and then going to the `https:` version of the same page results in JavaScript being blocked, but it should not be. Manually reloading the `https:` page results in JavaScript being executed correctly. After some effort, I managed to reproduce in current Firefox 77 beta directly, more specifically: `f2e0df68e569b43ca337535927ed63068ed01c664eea7e397378cae668f63d0a firefox-77.0b9.tar.bz2`. Tested with NoScript 11.0.26 and 11.0.25. Steps to reproduce (in a fresh profile): - Install NoScript addon. - Go to NoScript options page (either via about:addons or via NoScript toolbar badge). - Enable "script" option and "Cascade top document's restrictions to subdocuments" in the General + Default tab. - Still in General, go to "UNTRUSTED" and enable "frame". - Go to "Per-site permission" tab and add a new rule: "http:" and mark it as "untrusted" (basically, setting non-https pages as untrusted). - Open a new tab and visit http://alltaken.xyz/https_iframe.html - When loaded, open a new tab and visit https://alltaken.xyz/https_iframe.html - Result: JavaScript is blocked, but it should not be. When the page is manually reloaded (press F5), the script is executed correctly, and the `JavaScriptEnabled` text is displayed. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34305> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs