Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Trac@tracbot

TBB noscript settings break WebExtensions addons

In TBB 6.0.8, depending on the position of the security slider, NoScript can end up blocking WebExtensions background scripts from running, breaking some firefox addons entirely.

This occurs when security slider is medium-high or high, unless moz-extension: is added to capability.policy.maonoscript.sites.

This bug does not seem to affect vanilla FF with latest NoScript installed, unless capability.policy.maonoscript.sites is set to the value used in TBB. Which is why I'm reporting it as a TBB bug, not a NoScript bug.

NB This bug does not prevent WebExtension content scripts from running, but blocking background scripts is still enough to break many WebExtensions.

Suggested fix: default prefs shipped with TBB should include moz-extension: in capability.policy.maonoscript.sites, (unless this has undesired security outcomes that I'm not aware of).

Steps to reproduce

  1. Create a directory somewhere called ping.
  2. Create a file ping/manifest.json which contains:

{ "manifest_version": 2, "name": "Ping Test", "version": "1.0",

"description": "Tiny extension which pings the console from a bg script.",

"background": { "scripts": ["ping.js"] },

"applications": { "gecko": { "id": "ping@ping.me", "strict_min_version": "42.0", "strict_max_version": "50.*" } } }

  1. Create a file ping/ping.js which simply contains:

console.log('ping');

  1. Open Tor Browser, browse to about:config and set xpinstall.signatures.required to false, so that we will be allowed to install our own extensions.

  2. Set security slider to medium-high.

  3. Open Browser Console (Ctrl-Shift-J) and click 'Clear'.

  4. Browse to about:debugging, click 'Load Temporary Addon' and select ping/manifest.json.

  5. Go to Browser Console and note that 'ping' has NOT appeared.

  6. Set security slider to medium-low.

  7. Browse to about:addons. Disable 'Ping Test' then re-enable it.

  8. Go to Browser Console and note that 'ping' HAS now appeared.

  9. Set security slider back to medium-high.

  10. Browse to about:config and add " moz-extension:" to the end of capability.policy.maonoscript.sites.

  11. Clear the Browser Console.

  12. Browse to about:addons. Disable 'Ping Test' then re-enable it.

  13. Note that 'ping' HAS appeared.

  14. To clean up, just remove 'Ping Test' and set xpinstall.signatures.required and the security slider back to your preferred settings.

Trac:
Username: replaythesong

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information