Project

General

Profile

Bug #16613

TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider

Added by mercedes508 about 2 months ago. Updated 23 days ago.

Status:
Confirmed
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Browser

Description

Current set of problems

See #16613#note-8.

Initial problem statement

Hi,

When setting Tor Browser security slide to High in Tails, NoScript icon differs from the one of Tor Browser on another OS in the same condition:

  • In Tails the icon supposedly means: scripts are allowed for the top-level (main) document, but some other active content or script sources imported by this page are not allowed yet. This happens when there are multiple frames, or script elements linking code hosted on 3rd party hosts.
  • In non-Tails the icon means: this means that scripts and plugin contents are blocked for the current site and its subframes. Even if some of the 3rd party script sources imported by the page may be in your whitelist, no code could run because the hosting documents are not enabled.

The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

So the question are: why is NoScript behavior different? Is the icon consistent with its behavior?

Thanks

Screenshot from 2019-04-03 11-36-49.png View (76.3 KB) intrigeri, 04/03/2019 09:39 AM


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019

History

#1 Updated by intrigeri about 2 months ago

  • Assignee changed from intrigeri to mercedes508
  • QA Check set to Info Needed

When setting Tor Browser security slide to High in Tails,

I'll assume you mean "Safest".

I did this, both in Tails 3.13.1 and with Tor Browser 8.0.8 on Debian sid:

  1. Start Tor Browser.
  2. Click the Onion icon → Security settings → Safest
  3. Open https://riseup.net

In both cases I see the same NoScript icon. I'll attach a screenshot.

NoScript icon differs from the one of Tor Browser on another OS in the same condition:

Please provide screenshots so I can see what icon you get.

The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser (unless you've tweaked your Tor Browser to use add-ons from the system, which might explain the results you're seeing).

#3 Updated by mercedes508 about 2 months ago

Hi,

Sure I meant safest by high.

When looking at your screenshot, the NoScript icons next to the url bar are different, right? That's what I'm talking about.

#4 Updated by mercedes508 about 2 months ago

  • Assignee changed from mercedes508 to intrigeri

#5 Updated by intrigeri about 2 months ago

  • Subject changed from NoScript icon when security slide set to high indicates some JS are allowed to NoScript icon when security slider set to Safest indicates some JS are allowed

#6 Updated by intrigeri about 2 months ago

  • Status changed from New to Confirmed
  • QA Check deleted (Info Needed)

mercedes508 wrote:

When looking at your screenshot, the NoScript icons next to the url bar are different, right? That's what I'm talking about.

Gotcha!

#7 Updated by intrigeri 23 days ago

intrigeri wrote:

The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser

I was wrong: Tor Browser allows automatic updates for some add-ons such as NoScript, while Tails disables that (pref("extensions.update.enabled", false)). So for example, after starting Tor Browser 8.0.8 in Tails 3.13.1 and outside of Tails, both had 10.2.4; and a few minutes later, the Tor Browser running outside of Tails had silently been upgraded to 10.6.1.

#8 Updated by intrigeri 23 days ago

  • Subject changed from NoScript icon when security slider set to Safest indicates some JS are allowed to TorButton and/or NoScript are not fully set up on first Tor Browser launch

OK, I can reproduce this except if I quit Tor Browser and start it again. Interestingly:

  • The first instance has no Tor circuits display, no HTTPS Everywhere icon (known since #15023), and this different NoScript icon.
  • The second instance has working Tor circuits display, displays a HTTPS Everywhere icon, and no myController-related error in the logs.

So I believe that either Torbutton, or NoScript, or their communication channel, is not fully working on first start of Tor Browser in Tails. This would explain both the missing circuits display and the fact the "Safest" security level is not fully taken into account (if at all). IIRC, in August/September, gecko and maone implemented some workarounds to fix a related race condition that affected only Tails (https://trac.torproject.org/projects/tor/ticket/26520). I remember I tested them during our summit. Looks like we still have a problem :/

This looks related to #15777 (https://trac.torproject.org/projects/tor/ticket/23359).

#9 Updated by intrigeri 23 days ago

  • Description updated (diff)

#10 Updated by intrigeri 23 days ago

#11 Updated by intrigeri 23 days ago

Next steps: test with Tor Browser 8.5 (just in case — I doubt it'll fix this problem); then gather enough data and report this upstream.

#12 Updated by intrigeri 23 days ago

  • Priority changed from Normal to Elevated
  • Target version deleted (Tails_3.14)

(I doubt I'll have time to do that by 3.14; making this ticket pop up high enough on the FT's radar.)

#13 Updated by intrigeri 23 days ago

  • Subject changed from TorButton and/or NoScript are not fully set up on first Tor Browser launch to TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider
  • Assignee deleted (intrigeri)

Also available in: Atom PDF