Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:09:29Zhttps://gitlab.torproject.org/legacy/trac/-/issues/32425SVG icons are blocked in the video player in Safest security setting2020-06-16T01:09:29ZTracSVG icons are blocked in the video player in Safest security settingCheck the screenshot.
Tor Browser 9.0.1
**Trac**:
**Username**: nDe15oCheck the screenshot.
Tor Browser 9.0.1
**Trac**:
**Username**: nDe15ohttps://gitlab.torproject.org/legacy/trac/-/issues/31961'Learn more' links on security settings are not working2020-06-16T01:08:02ZTrac'Learn more' links on security settings are not workingTor Browser 9.0 Alpha 7, Macedonian (MK-MK)
1. The "Learn more" link in "Badge icon -> Security" not goes anywhere (is not linked).
EN-US version is linked to:
https://tb-manual.torproject.org/en-US/security-settings/
and automatically...Tor Browser 9.0 Alpha 7, Macedonian (MK-MK)
1. The "Learn more" link in "Badge icon -> Security" not goes anywhere (is not linked).
EN-US version is linked to:
https://tb-manual.torproject.org/en-US/security-settings/
and automatically redirects to:
https://tb-manual.torproject.org/security-settings/
MK-MK (Macedonian) version needs to be linked to:
https://tb-manual.torproject.org/mk/security-settings/
---------------------------------------
2. In Badge icon -> "Advanced Security Settings..." -> Security Level
Also the link "Learn more" after text:
"Disable certain web features that can be used to attack your security and anonymity."
doesn't work.
Same case, needs to go to:
https://tb-manual.torproject.org/mk/security-settings/
**Trac**:
**Username**: Zarko_Gjurovhttps://gitlab.torproject.org/legacy/trac/-/issues/31752Security Slider button stops working sometimes2020-06-16T01:07:33ZAlex CatarineuSecurity Slider button stops working sometimesI can reproduce with these steps (on alpha):
1. Click `Security Slider` button so that popup shows.
2. Click again so that it closes.
3. Go to `Customize...` in burger menu.
4. In `Customize...`, click `Done`.
5. Click again `Security S...I can reproduce with these steps (on alpha):
1. Click `Security Slider` button so that popup shows.
2. Click again so that it closes.
3. Go to `Customize...` in burger menu.
4. In `Customize...`, click `Done`.
5. Click again `Security Slider` button, it does not work.richardrichardhttps://gitlab.torproject.org/legacy/trac/-/issues/31749Security level popup should not open with middle or right click2020-06-16T01:07:33ZAlex CatarineuSecurity level popup should not open with middle or right clickThis is probably because of the change
```
- oncommand="SecurityLevelButton.onCommand(this, event);"
+ onmousedown="SecurityLevelButton.onCommand();"
```This is probably because of the change
```
- oncommand="SecurityLevelButton.onCommand(this, event);"
+ onmousedown="SecurityLevelButton.onCommand();"
```richardrichardhttps://gitlab.torproject.org/legacy/trac/-/issues/31658The "Security Level" text is hard to read in dark mode2020-06-16T01:07:18ZTracThe "Security Level" text is hard to read in dark modeWhen macOS has dark mode enabled and I click the shield icon, the words "Security Level" are very difficult to read. attached photo shows the issue.
TorBrowser 9.0a6
**Trac**:
**Username**: DbryrtfbcbhgfWhen macOS has dark mode enabled and I click the shield icon, the words "Security Level" are very difficult to read. attached photo shows the issue.
TorBrowser 9.0a6
**Trac**:
**Username**: Dbryrtfbcbhgfrichardrichardhttps://gitlab.torproject.org/legacy/trac/-/issues/31297How to enable sound on translate.google.com on Safer?2020-06-16T01:06:01ZcypherpunksHow to enable sound on translate.google.com on Safer?https://translate.google.com/https://translate.google.com/https://gitlab.torproject.org/legacy/trac/-/issues/31015svg.disabled = 'true' hides the the UI icons in extensions2020-06-16T01:05:20Zcypherpunkssvg.disabled = 'true' hides the the UI icons in extensionsIn "safest" security level `svg.disabled` is set to `true` in Tor Browser. This causes the UI icons in the latest versions of uBblock Origin and uMatrix to disappear.
The author of the extensions declined working on this with a note:
"...In "safest" security level `svg.disabled` is set to `true` in Tor Browser. This causes the UI icons in the latest versions of uBblock Origin and uMatrix to disappear.
The author of the extensions declined working on this with a note:
"I consider this a browser issue, to be reported to Firefox issue tracker. Extensions extend a browser abilities, they should not be subjected to restrictions which are meant to be imposed on web pages."
https://github.com/uBlockOrigin/uBlock-issues/issues/446
However as this is Tor Browser specific, I am reporting it here.https://gitlab.torproject.org/legacy/trac/-/issues/30680NoScript's click-to-play does not work on Twitter videos (on higher security ...2020-06-16T01:04:32ZGeorg KoppenNoScript's click-to-play does not work on Twitter videos (on higher security levels)Let's suppose you want to watch that awesome Twitter video:
https://twitter.com/richardao_/status/1132806281008484357
but are on the safer security level. The expectation is that you can use NoScript's click-to-play feature to allow th...Let's suppose you want to watch that awesome Twitter video:
https://twitter.com/richardao_/status/1132806281008484357
but are on the safer security level. The expectation is that you can use NoScript's click-to-play feature to allow the video to be played. However, contrary to e.g. on Youtube this is not working in this case and one has to either mess with NoScript setting's directly, lower the general security level for all the tabs open or just move along without watching that video.https://gitlab.torproject.org/legacy/trac/-/issues/29917Safest security level breaks reader view buttons2020-06-16T01:01:54ZcypherpunksSafest security level breaks reader view buttonsTested on 8.5a10. Screenshots attached.Tested on 8.5a10. Screenshots attached.https://gitlab.torproject.org/legacy/trac/-/issues/29903Don't have WebGL being click-to-play on the standard security level2020-06-16T01:01:51ZGeorg KoppenDon't have WebGL being click-to-play on the standard security levelThere is no reason to treat WebGL differently than any other active content like video/audio on the standard security level, especially as we are claiming that we have all web features enabled on that level.There is no reason to treat WebGL differently than any other active content like video/audio on the standard security level, especially as we are claiming that we have all web features enabled on that level.https://gitlab.torproject.org/legacy/trac/-/issues/29803Trust Tor Project domain in NoScript when TorButton security level is changed2020-06-16T01:01:38ZcypherpunksTrust Tor Project domain in NoScript when TorButton security level is changedTrust *.torproject.org in NoScript for first-party access when the TorButton security level is changed.
I don't know if it's possible to restrict to first-party in NoScript. It is in uMatrix. I don't know if trusting TP's sites by defau...Trust *.torproject.org in NoScript for first-party access when the TorButton security level is changed.
I don't know if it's possible to restrict to first-party in NoScript. It is in uMatrix. I don't know if trusting TP's sites by default could aid fingerprinting TB as TB rather than its UserAgent if, for example, a TP resource is embedded in a third-party page. On a related note, IIRC, the blog is hosted by a third-party.
Or always trust TP's onions only? https://onion.torproject.org/ Same unknown but for onion and non-onion third parties.https://gitlab.torproject.org/legacy/trac/-/issues/29506<noscript> tag doesn't work when JS is blocked by security slider at Safer2020-06-16T01:01:05ZMicah Lee<noscript> tag doesn't work when JS is blocked by security slider at SaferThe <noscript> HTML tag is supposed to be hidden when JavaScript is enabled, and get displayed when it's disabled. Websites use it to inform users what things are broken without JavaScript.
When the security slider is set to Safest, all...The <noscript> HTML tag is supposed to be hidden when JavaScript is enabled, and get displayed when it's disabled. Websites use it to inform users what things are broken without JavaScript.
When the security slider is set to Safest, all JavaScript is disabled, and the <noscript> tag works like expected. But when it's set to Safer, JavaScript is disabled on non-HTTPS websites (including HTTP .onion sites), but the <noscript> tag doesn't display, but it should.https://gitlab.torproject.org/legacy/trac/-/issues/27607Enabling SVG sets security slider back to "Safer"2020-06-16T00:50:52ZGeorg KoppenEnabling SVG sets security slider back to "Safer"Set the slider to "Safest" and then enable SVG in `about:config`. Despite the wish to just enable SVG this sets the slider back to "Safer". Found by ln5.Set the slider to "Safest" and then enable SVG in `about:config`. Despite the wish to just enable SVG this sets the slider back to "Safer". Found by ln5.https://gitlab.torproject.org/legacy/trac/-/issues/27515video placeholder didn't work in Tor browser 8.0 on highest security level2020-06-16T00:50:23ZTracvideo placeholder didn't work in Tor browser 8.0 on highest security levelnoscript isn't working any more, don't show any placeholder just block the video when using safest level
**Trac**:
**Username**: 1362572noscript isn't working any more, don't show any placeholder just block the video when using safest level
**Trac**:
**Username**: 1362572https://gitlab.torproject.org/legacy/trac/-/issues/27413Implement better communication between NoScript and Tor Browser2020-06-16T01:28:20ZGeorg KoppenImplement better communication between NoScript and Tor BrowserWhile preparing the Tor Browser 8 release we ran into a number of issues with communicating with NoScript and getting the Security Slider to work (#26520, #27401, #27411). We should implement a better approach for communictaion. The curr...While preparing the Tor Browser 8 release we ran into a number of issues with communicating with NoScript and getting the Security Slider to work (#26520, #27401, #27411). We should implement a better approach for communictaion. The currently best plan is outlined in comment:33:ticket:26520:
```
If we wanted to be absolutely sure, NoScript could be patched to listen for a "ping" and reply with a "pong". And then torbutton could repeatedly send "ping" (say, once a second) until it receives a "pong", and then proceed by sending the first updateSettings message.
```https://gitlab.torproject.org/legacy/trac/-/issues/27276Update security slider to follow NoScript protocol change2020-06-16T00:49:32ZArthur EdelsteinUpdate security slider to follow NoScript protocol changema1 [ticket:26128#comment:15 wrote]:
> Please notice that NoScript 10.1.8.17 does change its message handling to slightly abstract it, simplify it and fix some subtle bugs.
>
> As a consequence, the property by which all the messages ...ma1 [ticket:26128#comment:15 wrote]:
> Please notice that NoScript 10.1.8.17 does change its message handling to slightly abstract it, simplify it and fix some subtle bugs.
>
> As a consequence, the property by which all the messages (including updateSettings)identify themselves is not called "type" anymore, but "_messageName".
>
> In order to work with 10.1.8.1.17 and above, the Security Slider must therefore send this the updated policy in an object with a "_messageName": "updateSettings" property (alone, or in addition to the existent "type": "updateSettings" one for backward compatibility).https://gitlab.torproject.org/legacy/trac/-/issues/26624NoScript blocks <OBJECT> on Standard-Safer security setting in 8.0a9 contrary...2020-06-16T00:48:13ZcypherpunksNoScript blocks <OBJECT> on Standard-Safer security setting in 8.0a9 contrary to behavior in 8.0a8https://gitlab.torproject.org/legacy/trac/-/issues/26590SVG isn't blocked in Safest security setting with 8.0a92020-06-16T00:48:03ZcypherpunksSVG isn't blocked in Safest security setting with 8.0a9SVG doesn't seem to be blocked in Safest security setting with 8.0a9 (Linux)SVG doesn't seem to be blocked in Safest security setting with 8.0a9 (Linux)https://gitlab.torproject.org/legacy/trac/-/issues/26517When I have security setting set to "Safest" and I open NoScrip's preferences...2020-06-16T00:49:12ZTracWhen I have security setting set to "Safest" and I open NoScrip's preferences and click reset, TorBrowser still says Security setting "Safest" even though many sites are now whitelistedWhen I have security setting set to "Safest" and I open NoScript's preferences and click reset, TorBrowser still says Security setting "Safest" even though many sites are now whitelisted. I attached a video showing the bug. TorBrowser 8a...When I have security setting set to "Safest" and I open NoScript's preferences and click reset, TorBrowser still says Security setting "Safest" even though many sites are now whitelisted. I attached a video showing the bug. TorBrowser 8a9
**Trac**:
**Username**: Dbryrtfbcbhgfhttps://gitlab.torproject.org/legacy/trac/-/issues/26407Go over security slider governed preferences and update them where needed2020-06-16T01:28:18ZGeorg KoppenGo over security slider governed preferences and update them where neededWhile reviewing the patch for #26128 i realized there are new preferences we might to add (`javascript.options.wasm_baselinejit` and `javascript.options.wasm_ionjit` come to mind) and there might be old ones we could remove. We should do...While reviewing the patch for #26128 i realized there are new preferences we might to add (`javascript.options.wasm_baselinejit` and `javascript.options.wasm_ionjit` come to mind) and there might be old ones we could remove. We should double-check that during the ESR60 stabilization.