[tbb-bugs] #30394 [Applications/Tor Browser]: NoScript should fail closed
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 6 13:52:49 UTC 2019
#30394: NoScript should fail closed
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: enhancement | Status: reopened
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [comment:6 cypherpunks]:
> Reopening as requested enhancement.
>
> The current software is like an OS that opens all the TCP ports into a
root shell, if the kernel firewall fails to load. No exaggeration: The
browser runs executable code from untrusted network sites.
>
> Tor Browser should start with `javascript.enabled` set to `false` by
default, and only set it to `true` upon successful load of NoScript.
>
> Thanks to other cypherpunks, ticket:30394#comment:4
>
> In the rare event of NoScript failure, is better to have some users
complain "why did the web break?" than expose ''all'' users to risk
covered by a false sense of security.
I doubt it would be just "some". But let's assume that for the sake of
argument. If they'd just complain I'd be up for that idea at once.
However, what I rather expect to happen is users just ditching Tor Browser
as it is broken for them: they can't reach Google, Twitter etc. anymore
and therefore can't check mails nor interact on social media. And thus,
they will happily turn to a browser without Tor to reach their sites and
boom!!! (This is _not_ happening for them with armagadd-on 2.0)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30394#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list