Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-15T23:24:38Zhttps://gitlab.torproject.org/legacy/trac/-/issues/15225Investigate why Atlas does not work with the medium-high security slider setting2020-06-15T23:24:38ZGeorg KoppenInvestigate why Atlas does not work with the medium-high security slider settingLooking for some relays on atlas gives me
```
JavaScript Error!
There is a problem with your javascript environment, you may have noscript enabled on the remote onionoo backend.
```
using the medium-high setting of the security slider w...Looking for some relays on atlas gives me
```
JavaScript Error!
There is a problem with your javascript environment, you may have noscript enabled on the remote onionoo backend.
```
using the medium-high setting of the security slider which allows only HTTPS sourced JavaScript. I wonder whether that is a subtle bug in NoScript or where it is actually going wrong. I can't believe there are HTTP JavaScript requests involved here. Looking at the browser console I only can see HTTPS ones.
In order to get it to work I have to allow NoScript globally which is not an ideal solution.https://gitlab.torproject.org/legacy/trac/-/issues/13682Write test for security slider2020-06-13T17:40:33ZGeorg KoppenWrite test for security sliderWe should write a good test that checks whether the mapping between preferences and security levels works as expected.We should write a good test that checks whether the mapping between preferences and security levels works as expected.https://gitlab.torproject.org/legacy/trac/-/issues/13548Create preference to disable MathML2020-06-15T23:21:42ZGeorg KoppenCreate preference to disable MathMLWe should have a way to disable MathML support in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.We should have a way to disable MathML support in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/13053Write regression tests for new NoScript options2020-06-13T17:40:31ZMike PerryWrite regression tests for new NoScript optionsGiorgio recently introduced three NoScript options just for us:
noscript.cascadePermissions, noscript.restrictSubdocScripting, and noscript.globalHttpsWhitelist.
We intend to use these prefs to make it easier for people to use the secur...Giorgio recently introduced three NoScript options just for us:
noscript.cascadePermissions, noscript.restrictSubdocScripting, and noscript.globalHttpsWhitelist.
We intend to use these prefs to make it easier for people to use the security slider. The first two cause sub-scripts to be allowed on top-level sites for which the user allows scripts and blocked on top-level urls where scripting is blocked, and the third pref should allow HTTPS sub-scripts to run if and only if the url bar is also HTTPS.
Because we're the only people widely using these prefs, we should write regression tests to ensure this functionality does not break in future NoScript releases.
I am most concerned about the globalHTTPSWhitelist option, as I've already noticed some bugs. The cases we should test include:
1. Do <script> elements that source https urls get blocked from http url bars, no matter what (even if those domains are in the NoScript whitelist)
1. Does the same happen for iframes?
1. Is the converse true? If we have an https:// url bar, do script elements to http:// urls for the same domain end up blocked?
1. And for iframes as well?boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/12827Create preference to disable SVG2022-06-16T00:15:16ZMike PerryCreate preference to disable SVGWe should have a way to disable SVG suport in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.We should have a way to disable SVG suport in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/12430Disable the jar: protocol for external resources via preference2020-06-15T23:24:36ZGeorg KoppenDisable the jar: protocol for external resources via preferenceWe should add a preference that controls whether remote .jar files are opened by Tor Browser's jar: protocol handler and set the default value to not allow such actions.We should add a preference that controls whether remote .jar files are opened by Tor Browser's jar: protocol handler and set the default value to not allow such actions.