Skip to content

Restart the browser to change the security level preference

henryrequested to merge
henry/tor-browser:tighten-security-level-tb43783 into tor-browser-128.11.0esr-14.5-1

Merge Info

Issues

Resolves

Related

Merging

Target Branches

  • tor-browser - !fixups to tor-browser-specific commits, new features, security backports
  • base-browser and mullvad-browser - !fixups to base-browser-specific commits, new features to be shared with mullvad-browser, and security backports
    • ⚠️ IMPORTANT: Please list the base-browser-specific commits which need to be cherry-picked to the base-browser and mullvad-browser branches here

Target Channels

  • Alpha: esr128-14.5
  • Stable: esr128-14.0
  • Legacy: esr115-13.5 - Needs some changes: #43835 (closed).

Backporting

Timeline

  • No Backport (preferred): patchset for the next major stable
  • Immediate: patchset needed as soon as possible (fixes CVEs, 0-days, etc)
  • Next Minor Stable Release: patchset that needs to be verified in nightly before backport
  • Eventually: patchset that needs to be verified in alpha before backport

(Optional) Justification

  • Security update: patchset contains a security fix (be sure to select the correct item in Timeline)
  • Censorship event: patchset enables censorship circumvention
  • Critical bug-fix: patchset fixes a bug in core-functionality
  • Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
  • Sponsor required: patchset required for sponsor
  • Localization: typos and other localization changes that should be also in the release branch
  • Other: please explain

Upstream

  • Patchset is a candidate for uplift to Firefox
  • Patchset is a backport from Firefox
    • Bugzilla link:
    • Upstream commit:

Issue Tracking

Review

Request Reviewer

  • Request review from an applications developer depending on modified system:
    • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since Gitlab only allows 1 reviewer)
    • accessibility : henry
    • android : clairehurst, dan
    • build system : boklm
    • ci/cd: brizental, henry
    • extensions : ma1
    • firefox internals (XUL/JS/XPCOM) : jwilde, ma1
    • fonts : pierov
    • frontend (implementation) : henry
    • frontend (review) : donuts, morgan
    • localization : henry, pierov
    • macOS : clairehurst, dan
    • nightly builds : boklm
    • rebases/release-prep : brizental, clairehurst, dan, ma1, pierov, morgan
    • security : jwilde, ma1
    • signing : boklm, morgan
    • updater : pierov
    • windows : jwilde, morgan
    • misc/other : pierov, morgan

Change Description

Includes changes originally in !1519 (closed):

  • Implement the designs from tpo/ux/design#162 (closed).
  • In addition, we drop the distinction between the security levels in the UI when the user has a custom security level. I.e. we always show shield as unfilled but with a yellow dot in the toolbar, and we just call it "Custom" rather than "Standard Custom", etc.

This fills in the gaps not covered by the UI redesign. It:

  • Adds a guarantee that security level is working as expected at startup. Otherwise it prompts the user for a restart to actually apply the settings.
  • Similarly, if the user clears the "custom" preference flag mid-session, or changes their slider setting in about:config or prefs.js they should get the same notification.
  • Marks a session as "custom" security level if the prompt is ignored, NoScript fails to initialise, or one of the controlled preferences is changed mid-session.
  • Adds an API SecurityLevelPrefs.setSecurityLevelAndRestart which should be used by android and desktop UI.
  • Adds a guarantee that NoScript was initialised. Otherwise shows a prompt.
  • Only sends settings to NoScript at startup. If the slider setting changes mid-session this will already prompt for a restart.
  • Adds some assurance that users with browser.security_level.noscript_persist will eventually have their settings passed on to NoScript when they change security level. We extend the existing preference browser.security_level.noscript_inited to do this. Before this patch this was set once to true and never changed again. Now we reset it to false whenever we change the slider security level.
  • Always logs a warning to the console if the user has browser.security_level.noscript_persist set.

/cc @pierov @ma1 @clairehurst @morgan

How Tested

Tested changing the security level preferences mid-session via about:config.

Also changed it out of session with prefs.js.

Also forced the NoScript initialisation to fail.

Edited by henry

Merge request reports