SVG in Tor warning banner not rendered if NoScript set to permit JS #4791
Assignees
Comments
kushaldas
added a commit
that referenced
this issue
Sep 19, 2019
Adds 3 png files and also updates the source index tempate to use the png files.
5 tasks
kushaldas
added a commit
that referenced
this issue
Nov 13, 2019
Adds 3 png files and also updates the source index tempate to use the PNG files. Removes the unused svg files of the same PNG files.
|
The STR in the original issue no longer apply in Tor Browser 9.5, which seems to be better at enforcing "Safest" even when NoScript is set to permit JavaScript for a tab, or even set to override Tor settings. I was able to get into the state illustrated into the issue in "Safer" once, but I can no longer reproduce it. Closing this issue, feel free to re-open if you can come up with STR for it in recent versions of Tor Browser. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Steps to reproduce:
(Works with any live SecureDrop instance >= 0.14.0)
Expected behavior
The security warning banner renders normally.
Actual behavior
The security warning banner looks like this:
Explanation
Tor enforces no consistency between the Tor security setting and the NoScript setting: You can have JavaScript enabled while your security level is nominally set to "safest" (which disables SVG rendering). The NoScript button is very visible, so it's not too much of an edge case to imagine that a user may have put their browser in this state intentionally or by accident.
These icons should probably be served up as PNG. That said, the banner is also incorrect in this situation (following the steps will not have any effect), so we may want to take this case into account in the next iteration on this warning.
The text was updated successfully, but these errors were encountered: