clicking on "click to play" media leaks URLs via NoScript on-disk preferences
A user in #tor
reports that clicking on "click to play" media leaks sensitive information by causing NoScript to save the URL to disk. It's not clear whether this is an instance of #29646 (moved). It also seems that these URLs persist for search bar completion briefly beyond "New Identity", but not beyond a browser restart.
partial IRC logs below:
29T22:27 <XXXXX> i'd like to report a bug in noscript in tor browser
29T22:28 <XXXXX> when media is "click to play" and i click it, the browser
SAVES IT in HISTORY
29T22:28 <XXXXX> even though it is tor browser, when i start up the browser
days later i find that noscript has saved that site url to
the hard drive... tor browser is not supposed to keep
history
29T22:29 <XXXXX> it was visible in "per-site permissions" in the noscript
settings
29T22:30 <XXXXX> it includes ILLEGAL (lgbt resources) in my country, that i
do not want anyone to see, but it was still being saved by
tor browser
29T22:31 <XXXXX> i did not do anything "unusual" like changing settings or
tweaking. i only had security slider MEDIUM and when click
to play media appeared i clicked it
29T22:32 <XXXXX> i cleared the history and bleachbit wiped the computer but
i'm scared
...
29T22:39 <catalyst> XXXXX: that does sound scary in your situation. and it
does sound like a bug. what OS and Tor Browser version?
29T22:40 <XXXXX> catalyst: windows 7 tor browser 8.0.8
...
29T22:45 <catalyst> XXXXX: thanks. i'm asking around
29T22:46 <XXXXX> ok!
29T22:46 <XXXXX> what do i need to do to erase it? i pressed "reset
settings" in noscript and i think that worked and i ran
bleachbit too
29T22:47 <catalyst> XXXXX: that depends on how thoroughly you need to erase
it, unfortunately
29T22:48 <XXXXX> i dont want family or authorities to see it
...
29T22:48 <XXXXX> ok and doing that with bleachbit "erase free space" helps?
...
29T22:50 <XXXXX> it erases free space because deleting files is recoverable
29T22:51 <catalyst> XXXXX: that sounds like it should help. i'm not
personally familiar with bleachbit so i can't say whether
or not it will be effective in this case
29T22:51 <XXXXX> ok
29T22:52 <catalyst> operating systems like Tails provide additional isolation
(i believe Tails won't ever write to a disk unless you
explicitly ask it to)
29T22:57 <catalyst> XXXXX: may i paste your report into a public bug
report? (redacting your IRC nickname)
29T22:57 <XXXXX> catalyst: yes ok
29T22:57 <catalyst> XXXXX: thanks
29T22:58 <XXXXX> catalyst: when i clicked "reset" on the noscript settings
it broke some things i think the "default settings" are
not the same ones tor uses so resetting to default breaks
some things. a check mark is now checked called "override
tor browser security preset" and even on MEDIUM slider
settings it makes javascript disabled
29T22:58 <XXXXX> so also the reset option breaks things too!
29T23:03 <catalyst> XXXXX: that sounds unfortunate, but not too surprising.
Tor Browser can't always handle unusual user interactions
with the components it depends on. we can only try to fix
stuff like this as we learn about it
29T23:03 <XXXXX> ok
29T23:03 <XXXXX> i'll delete and insteall the browser again
...
29T23:12 <XXXXX> catalyst: one other scary thing that might be related.
when i visit sites after i press "new identity" that
restarts the browser. when the new browser opens then i
type something into the search bar at the top and
sometimes it suggests the sites i was just viewing BUT for
a split second then they vanish!
29T23:13 <XXXXX> i only noticed it when pressing "new identity" but not if
i close the browser then open it myself instead. but after
the suggested sites vanish they don't appear again and
that is weird
29T23:15 <@arma> XXXXX: i would believe this -- new identity does a pile of
things, and it does them in some order. it should probably
change its order so you don't get confused into thinking it is
done until it really is done.
29T23:15 <catalyst> XXXXX: that does seem scary. the behavior difference
between "new identity" and restarting the browser is
helpful to know, though. i'll add it to the bug report