NoScript policies don't work with default page set to about:blank
Issue similar to #32429 (moved), but arises under more narrow conditions - such as when you manually edit settings via prefs.js using automated configuration tools.
How to reproduce the bug:
- Unpack Tor Browser, start it for the first time, exit.
- Edit the following parameters via prefs.js:
- browser.startup.homepage = "about:blank"
- extensions.torbutton.security_slider = 1
- Launch TB again, set Security Level to Safest, which is supposed to block JS everywhere.
- Load the test page and see for yourself that JS is not blocked: http://mysecret7rirx6ip.onion/test-js.html http://mysecretvrujzo2k.onion/test-js.html
If the security settings are changed to Low, and then back to Safest, the bug will disappear and JS will be blocked everywhere by default.
Causes of this bug:
The "key-policy" setting in NoScript (found in Browser/TorBrowser/Data/Browser/profile.default/storage-sync.sqlite) has the following value by default:
{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["font","frame","media"],"temp":false},"sites":{"trusted":[],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}
This allows all content by default: "DEFAULT":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"]
This setting is not set to the value corresponding to the Safest security level ("DEFAULT":{"capabilities":["frame","other"]) when the add-on is initialized on browser launch, even if this level is set in prefs.js.
This issue misleads users who utilise automated configuration systems to configure their Tor Browser instances. It was not present in versions 8.* and 9.0.0.
Trac:
Username: pf.team