Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
Tor Browser
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,541
    • Issues 1,541
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 1
    • Merge Requests 1
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • Applications
  • Tor Browser
  • Issues
  • #29957

Closed
Open
Created Mar 29, 2019 by Taylor Yu@catalyst

clicking on "click to play" media leaks URLs via NoScript on-disk preferences

A user in #tor reports that clicking on "click to play" media leaks sensitive information by causing NoScript to save the URL to disk. It's not clear whether this is an instance of legacy/trac#29646 (moved). It also seems that these URLs persist for search bar completion briefly beyond "New Identity", but not beyond a browser restart.

partial IRC logs below:

29T22:27 <XXXXX> i'd like to report a bug in noscript in tor browser
29T22:28 <XXXXX> when media is "click to play" and i click it, the browser 
                     SAVES IT in HISTORY
29T22:28 <XXXXX> even though it is tor browser, when i start up the browser 
                     days later i find that noscript has saved that site url to 
                     the hard drive... tor browser is not supposed to keep 
                     history
29T22:29 <XXXXX> it was visible in "per-site permissions" in the noscript 
                     settings
29T22:30 <XXXXX> it includes ILLEGAL (lgbt resources) in my country, that i 
                     do not want anyone to see, but it was still being saved by 
                     tor browser
29T22:31 <XXXXX> i did not do anything "unusual" like changing settings or 
                     tweaking. i only had security slider MEDIUM and when click 
                     to play media appeared i clicked it
29T22:32 <XXXXX> i cleared the history and bleachbit wiped the computer but 
                     i'm scared
...
29T22:39 <catalyst> XXXXX: that does sound scary in your situation. and it 
                    does sound like a bug. what OS and Tor Browser version?
29T22:40 <XXXXX> catalyst: windows 7 tor browser 8.0.8
...
29T22:45 <catalyst> XXXXX: thanks. i'm asking around
29T22:46 <XXXXX> ok!
29T22:46 <XXXXX> what do i need to do to erase it? i pressed "reset 
                     settings" in noscript and i think that worked and i ran 
                     bleachbit too
29T22:47 <catalyst> XXXXX: that depends on how thoroughly you need to erase 
                    it, unfortunately
29T22:48 <XXXXX> i dont want family or authorities to see it
...
29T22:48 <XXXXX> ok and doing that with bleachbit "erase free space" helps?
...
29T22:50 <XXXXX> it erases free space because deleting files is recoverable
29T22:51 <catalyst> XXXXX: that sounds like it should help. i'm not 
                    personally familiar with bleachbit so i can't say whether 
                    or not it will be effective in this case
29T22:51 <XXXXX> ok
29T22:52 <catalyst> operating systems like Tails provide additional isolation 
                    (i believe Tails won't ever write to a disk unless you 
                    explicitly ask it to)
29T22:57 <catalyst> XXXXX: may i paste your report into a public bug 
                    report? (redacting your IRC nickname)
29T22:57 <XXXXX> catalyst: yes ok
29T22:57 <catalyst> XXXXX: thanks
29T22:58 <XXXXX> catalyst: when i clicked "reset" on the noscript settings 
                     it broke some things i think the "default settings" are 
                     not the same ones tor uses so resetting to default breaks 
                     some things. a check mark is now checked called "override 
                     tor browser security preset" and even on MEDIUM slider 
                     settings it makes javascript disabled
29T22:58 <XXXXX> so also the reset option breaks things too!
29T23:03 <catalyst> XXXXX: that sounds unfortunate, but not too surprising. 
                    Tor Browser can't always handle unusual user interactions 
                    with the components it depends on. we can only try to fix 
                    stuff like this as we learn about it
29T23:03 <XXXXX> ok
29T23:03 <XXXXX> i'll delete and insteall the browser again
...
29T23:12 <XXXXX> catalyst: one other scary thing that might be related. 
                     when i visit sites after i press "new identity" that 
                     restarts the browser. when the new browser opens then i 
                     type something into the search bar at the top and 
                     sometimes it suggests the sites i was just viewing BUT for 
                     a split second then they vanish!
29T23:13 <XXXXX> i only noticed it when pressing "new identity" but not if 
                     i close the browser then open it myself instead. but after 
                     the suggested sites vanish they don't appear again and 
                     that is weird
29T23:15 <@arma> XXXXX: i would believe this -- new identity does a pile of 
                 things, and it does them in some order. it should probably 
                 change its order so you don't get confused into thinking it is 
                 done until it really is done.
29T23:15 <catalyst> XXXXX: that does seem scary. the behavior difference 
                    between "new identity" and restarting the browser is 
                    helpful to know, though. i'll add it to the bug report
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None