Unexpected NoScript behavior when security level is pinned using user.js
If a Tor Browser user attempts to pin the security level using user.js (see below), Tor Browser will launch with the pinned security level, but NoScript will not respect that choice and instead retain its previous behavior. For example, if the user attempts to pin the security level to "Safest" using user.js, closes Tor Browser with the security level set to "Safer" and then re-launches Tor Browser, NoScript will behave as though the security setting is "Safer", blocking non-HTTPS JavaScript but allowing HTTPS JavaScript to run.
This behavior is potentially dangerous because the user will believe all Tor Browser security features will follow the user's pinned choice and the user will see the shield icon appearance according to their chosen pinned security level, but NoScript may behave differently. For example, NoScript may run JavaScript without the user's knowledge if the user pins the security level to "Safest".
Reproduced in:
- Tor Browser 9.0 and 9.0.1 (the first affected version is unknown)
- NoScript 11.0.8 (the first affected version is unknown)
- Debian 9 (stretch)
How to reproduce:
-
user.jsallows pinning of Tor Browser (Firefox) parameters upon launch.
- Create
user.jsin:<tor-browser-top>/Browser/TorBrowser/Data/Browser/profile.default/ - Pin the security level to "Safest". Add the line:
user_pref("extensions.torbutton.security_slider", 1); - Launch Tor Browser, change the security level from "Safest" to something different, then close Tor Browser.
- Launch Tor Browser again, and confirm the security level is set to "Safest".
- Access a website that requires JavaScript to work properly.
- Confirm whether or not JavaScript is running.
Trac:
Username: kj