Skip to content

Cascading of permissions does not seem to work properly in Tor Browser 8

On level "safer" of our security slider we want to prevent executing JavaScript if the URL bar domain is loaded over HTTP. That means even if embedded content is loaded over HTTPS it's not allowed to load and execute JavaScript that way. We used the cascadePermissions and the globalHttpsWhitelist prefs for that in the XPCOM NoScript.

This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded in a HTTP site context (as an example take http://www.worldstarhiphop.com/featured/131305).

This got noted on our blog: https://blog.torproject.org/comment/278987#comment-278987.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information