Should Torbutton toggle javascript.enabled in Firefox per documentation?
Previous bugs stating Torbutton no longer toggling "Javascript Enabled" in Firefox (mainly after v3.5 or 3.6) have been answered that it isn't a bug (see # 979 below). Previous Torbutton versions did toggle “Enable Javascript” in Firefox Options > Content. Now, apparently not in later versions?
Current documentation seems to indicate it should be toggling the Firefox preference “javascript.enabled.” If correct, it would toggle the box in Options / Content.
Question is, should it be toggling “javascript.enabled” and thus toggling the Content check box, or does the documentation need updating or clarification? Also, Tor Project site gives current links to Tor Detector site http://torcheck.xenobite.eu/. With Tor, Polipo & Torbutton enabled, the site warns “JAVASCRIPT ENABLED” as security / anonymity risk.
If Torbutton no longer toggles “Enable Javascript” in Firefox, (instead “makes javascript safe for anonymity...”), is this still a valid parameter for torcheck.xenobite.eu/ to check & report as a security risk? Maybe check site needs updating or Tor Project needs to link to different sites? Also FAQs & documentation may need revising to inform average users of expected behavior.
Ticket 979: Torbutton not disabling javascript.
Response:
flyspray2trac: bug closed. This is a feature. Torbutton makes javascript safe for anonymity purposes. If you fear javascript exploits, use quickjava or noscript to disable it.
From current (8-7-10) online Torbutton Design doc at:
http://www.torproject.org/torbutton/design/
From section:
- Relevant Firefox Bugs
6.1. Bugs impacting security
From same doc, section 7:
7.3. Active testing (aka How to Hack Torbutton)
"Other ways to cause Javascript to be executed after javascript.enabled has been toggled off."
If it should be toggling javascript.enabled, it hasn't done it for me for several versions of Torbutton and Firefox 3.6 – 3.6.8.
Reproducible: always
Windows Vista x64 SP 2
Clean install of Firefox 3.6.8, new profile, no addons.
Torbutton 1.25, Tor 0.2.1.26 w/ Polipo installed, all running.
Tor checksite always reports “Javascript Enabled” as security risk.
With Torbutton 1.25 (& prior versions) enabled, !about:config shows javascript.enabled value = true. (contradicts sect. 7.3 Active Testing)
Trac:
Username: joebt