Project

General

Profile

Bug #1114

[iceweasel] nonprism version does not work lots of websites

Shaac - almost 6 years ago - . Updated almost 6 years ago.

Status:
not-a-bug
Priority:
privacy issue
Assignee:
% Done:

0%


Description

With the new nonprism version a lots of websites are not workings. A lot of them say that javascript is not working, but yet sometimes it works, sometimes it does not.

Exemple: https://citymapper.com/ does not load

Then Emulatorman told me to set dom.storage.enabled to true. And since it better, but not quite working.

Exemples:
- https://www.whatismybrowser.com/detect/is-flash-installed says that javascript is not activated
- https://framadrop.org/ does not succeed to upload a file

The first link is full of ugly and possibly dangerous javascript, but the second is only free software.

In an cases, with those settings the web is not usable. And there is no “desactive temporary” button like with noscript. And since the nonprism repo is above the libre one, there is no other way to keep a useable browser other that to ditch the nonprism repository.


Related issues

Related to Packages - Bug #1113: [iceweasel] reverts to default cookie/addon/popup lists on loadnot-a-bug2016-09-28

Actions

History

#1

Updated by Anonymous almost 6 years ago

  • Assignee set to g4jc
#2

Updated by Anonymous almost 6 years ago

  • Related to Bug #1113: [iceweasel] reverts to default cookie/addon/popup lists on load added
#3

Updated by g4jc almost 6 years ago

Shaac wrote:

With the new nonprism version a lots of websites are not workings. A lot of them say that javascript is not working, but yet sometimes it works, sometimes it does not.

Exemple: https://citymapper.com/ does not load

Then Emulatorman told me to set dom.storage.enabled to true. And since it better, but not quite working.

Exemples:
- https://www.whatismybrowser.com/detect/is-flash-installed says that javascript is not activated
- https://framadrop.org/ does not succeed to upload a file

The first link is full of ugly and possibly dangerous javascript, but the second is only free software.

In an cases, with those settings the web is not usable. And there is no “desactive temporary” button like with noscript. And since the nonprism repo is above the libre one, there is no other way to keep a useable browser other that to ditch the nonprism repository.

Several new patches were introduced do strengthen the [nonprism] iceweasel and protect the end user from security and privacy threats.[1]

As Emulatorman mentioned, the setting that causes cookie issues on several websites and HTML5 DOM issues is caused by "dom.storage.enabled = false". This setting that is recommended by Tails as well as WildersSecurity2. As a user, you can set this back to true and/or use a user.js file in ~/.mozilla to override permanently, including in future updates. However, it comes with many privacy and security concerns.

- City Mapper only seems to require dom.storage.enabled = true.
- The fact What is My Browser is unable to detect flash means that nonprism is doing it's job, sites should not be able to identify and exploit installed plugins. Javascript is enabled, but advanced querying, assembly language, and related low-level JS was disabled.

- FramaDrop uses websockets. Websockets have in the past leaked IP addresses. This would mean users of proxy/VPN/VLAN would have their IP exposed to the website. This setting is controlled by "network.websocket.max-connections". Setting this manually to "5" will be enough to use the page, at the expense of possible IP leakage.

Using [libre] will allow you more features at the expense of your-privacy. The real bug here may be figuring out how to not force users of [libre] upgrade to [nonprism], or to be able to more easily opt-out.

[1] Complete list of patches, includes anti-fingerprinting and data leaking resistance: https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js
[2] http://www.wilderssecurity.com/threads/dom-storage-browser-data-storage-that-can-bypass-the-intent-of-blocking-third-party-cookies.364838/

#4

Updated by Anonymous almost 6 years ago

  • Priority changed from bug to discussion
#5

Updated by g4jc almost 6 years ago

  • Priority changed from discussion to privacy issue
  • Status changed from open to not-a-bug

For users who wish to opt-out of privacy, you can consult user.js1, the following options are applicable for websites mentioned:

user_pref("dom.storage.enabled", true);
user_pref("network.websocket.max-connections", "5");

http://kb.mozillazine.org/User.js_file

Closing bug.

Also available in: Atom PDF