Project

General

Profile

Bug #16613

TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider

Added by mercedes508 4 months ago. Updated 6 days ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Browser

Description

Current set of problems

See #16613#note-8.

Initial problem statement

Hi,

When setting Tor Browser security slide to High in Tails, NoScript icon differs from the one of Tor Browser on another OS in the same condition:

  • In Tails the icon supposedly means: scripts are allowed for the top-level (main) document, but some other active content or script sources imported by this page are not allowed yet. This happens when there are multiple frames, or script elements linking code hosted on 3rd party hosts.
  • In non-Tails the icon means: this means that scripts and plugin contents are blocked for the current site and its subframes. Even if some of the 3rd party script sources imported by the page may be in your whitelist, no code could run because the hosting documents are not enabled.

The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

So the question are: why is NoScript behavior different? Is the icon consistent with its behavior?

Thanks

Screenshot from 2019-04-03 11-36-49.png View (76.3 KB) intrigeri, 04/03/2019 09:39 AM


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019

History

#1 Updated by intrigeri 4 months ago

  • Assignee changed from intrigeri to mercedes508
  • QA Check set to Info Needed

When setting Tor Browser security slide to High in Tails,

I'll assume you mean "Safest".

I did this, both in Tails 3.13.1 and with Tor Browser 8.0.8 on Debian sid:

  1. Start Tor Browser.
  2. Click the Onion icon → Security settings → Safest
  3. Open https://riseup.net

In both cases I see the same NoScript icon. I'll attach a screenshot.

NoScript icon differs from the one of Tor Browser on another OS in the same condition:

Please provide screenshots so I can see what icon you get.

The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser (unless you've tweaked your Tor Browser to use add-ons from the system, which might explain the results you're seeing).

#3 Updated by mercedes508 3 months ago

Hi,

Sure I meant safest by high.

When looking at your screenshot, the NoScript icons next to the url bar are different, right? That's what I'm talking about.

#4 Updated by mercedes508 3 months ago

  • Assignee changed from mercedes508 to intrigeri

#5 Updated by intrigeri 3 months ago

  • Subject changed from NoScript icon when security slide set to high indicates some JS are allowed to NoScript icon when security slider set to Safest indicates some JS are allowed

#6 Updated by intrigeri 3 months ago

  • Status changed from New to Confirmed
  • QA Check deleted (Info Needed)

mercedes508 wrote:

When looking at your screenshot, the NoScript icons next to the url bar are different, right? That's what I'm talking about.

Gotcha!

#7 Updated by intrigeri 3 months ago

intrigeri wrote:

The NoScript version is slightly different (Tails is 10.2.4, Debian 10.2.5).

Tor Browser ships its own version of NoScript so Tails should be using the same version as Tor Browser

I was wrong: Tor Browser allows automatic updates for some add-ons such as NoScript, while Tails disables that (pref("extensions.update.enabled", false)). So for example, after starting Tor Browser 8.0.8 in Tails 3.13.1 and outside of Tails, both had 10.2.4; and a few minutes later, the Tor Browser running outside of Tails had silently been upgraded to 10.6.1.

#8 Updated by intrigeri 3 months ago

  • Subject changed from NoScript icon when security slider set to Safest indicates some JS are allowed to TorButton and/or NoScript are not fully set up on first Tor Browser launch

OK, I can reproduce this except if I quit Tor Browser and start it again. Interestingly:

  • The first instance has no Tor circuits display, no HTTPS Everywhere icon (known since #15023), and this different NoScript icon.
  • The second instance has working Tor circuits display, displays a HTTPS Everywhere icon, and no myController-related error in the logs.

So I believe that either Torbutton, or NoScript, or their communication channel, is not fully working on first start of Tor Browser in Tails. This would explain both the missing circuits display and the fact the "Safest" security level is not fully taken into account (if at all). IIRC, in August/September, gecko and maone implemented some workarounds to fix a related race condition that affected only Tails (https://trac.torproject.org/projects/tor/ticket/26520). I remember I tested them during our summit. Looks like we still have a problem :/

This looks related to #15777 (https://trac.torproject.org/projects/tor/ticket/23359).

#9 Updated by intrigeri 3 months ago

  • Description updated (diff)

#10 Updated by intrigeri 3 months ago

#11 Updated by intrigeri 3 months ago

Next steps: test with Tor Browser 8.5 (just in case — I doubt it'll fix this problem); then gather enough data and report this upstream.

#12 Updated by intrigeri 3 months ago

  • Priority changed from Normal to Elevated
  • Target version deleted (Tails_3.14)

(I doubt I'll have time to do that by 3.14; making this ticket pop up high enough on the FT's radar.)

#13 Updated by intrigeri 3 months ago

  • Subject changed from TorButton and/or NoScript are not fully set up on first Tor Browser launch to TorButton and/or NoScript are not fully set up on first Tor Browser launch: breaks circuits display and security slider
  • Assignee deleted (intrigeri)

#14 Updated by segfault about 1 month ago

  • Assignee set to segfault

#15 Updated by segfault about 1 month ago

  • Assignee deleted (segfault)

I can't reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.

I can reproduce the issue that the HTTPS everywhere icon is not displayed and the NoScript icon is different on 3.13.2. But both icons are never displayed in 3.14.

#16 Updated by intrigeri about 1 month ago

segfault wrote:

I can't reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.

@segfault, so next step is: check if the security level change is effective in Tails 3.14. Better not rely on NoScript (or the presence of its icon) for that, but instead check that whatever content is supposed to be blocked, is actually blocked. Makes sense?

I can reproduce the issue that the HTTPS everywhere icon is not displayed and the NoScript icon is different on 3.13.2. But both icons are never displayed in 3.14.

Indeed, that's expected as of Tor Browser 8.5 (#16746).

#17 Updated by segfault about 1 month ago

intrigeri wrote:

segfault wrote:

I can't reproduce the issue with the circuits display on 3.13.2 or 3.14. Here is what I did: Start Tails, start Tor Browser, set security level to safest, open riseup.net, click on the site information to view the circuit.

@segfault, so next step is: check if the security level change is effective in Tails 3.14. Better not rely on NoScript (or the presence of its icon) for that, but instead check that whatever content is supposed to be blocked, is actually blocked. Makes sense?

Makes sense, but is harder than expected. According to https://tb-manual.torproject.org/security-slider, the safest setting has these effects:

HTML5 video and audio media become click-to-play via NoScript; all JavaScript performance optimizations are disabled; some mathematical equations may not display properly; some font rendering features are disabled; some types of image are disabled; Javascript is disabled by default on all sites; most video and audio formats are disabled; and some fonts and icons may not display correctly.

I tested that JavaScript is disabled and HTML5 videos don't play automatically (I couldn't find a website which played HTML5 videos at all at this security setting, probably because "most video and audio formats are disabled").

I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.

#18 Updated by intrigeri 30 days ago

Makes sense, but is harder than expected. According to https://tb-manual.torproject.org/security-slider, the safest setting has these effects:

HTML5 video and audio media become click-to-play via NoScript; all JavaScript performance optimizations are disabled; some mathematical equations may not display properly; some font rendering features are disabled; some types of image are disabled; Javascript is disabled by default on all sites; most video and audio formats are disabled; and some fonts and icons may not display correctly.

I tested that JavaScript is disabled and HTML5 videos don't play automatically (I couldn't find a website which played HTML5 videos at all at this security setting, probably because "most video and audio formats are disabled").

Great.

I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.

Most of what the security slider does is setting prefs, so I think it would be good enough to check that a few of these prefs are set as expected; let's assume here that Firefox honors these prefs correctly.

#19 Updated by segfault 7 days ago

  • Status changed from Confirmed to Resolved

intrigeri wrote:

I will have to investigate how to test font rendering features and which types of images are supposed to be disabled.

Most of what the security slider does is setting prefs, so I think it would be good enough to check that a few of these prefs are set as expected; let's assume here that Firefox honors these prefs correctly.

Finally managed to do this. Took me a while to find the code responsible for this, because I expected that it changes firefox preferences (i.e. the ones editable via about:config). But that doesn't seem to be case - just FTR (maybe someone finds this when we have to check stuff like that again): NoScript is controlled via WebExtension messages, the code is in src/modules/noscript-control.js in torbutton.git.

I verified that, in Tails 3.14, when I change the security slider to "Safer" or "Safest", the NoScript settings are changed according to the values defined in src/modules/noscript-control.js.

#20 Updated by intrigeri 6 days ago

I verified that, in Tails 3.14, when I change the security slider to "Safer" or "Safest", the NoScript settings are changed according to the values defined in src/modules/noscript-control.js.

Great! :)

Also available in: Atom PDF