[tor-bugs] #17637 [Tor Browser]: NoScript in Tor-Browser allows all third party domains
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 18 18:59:24 UTC 2015
#17637: NoScript in Tor-Browser allows all third party domains
-----------------------------+----------------------------------
Reporter: ctbu | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Keywords: Tor-Browser NoScript
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+----------------------------------
Tor-Browser 5.0.4 comes with NoScript installed by default. However, the
NoScript is either defective or misconfigured by default. When I allow
script execution for the top-level domain, then NoScript automatically
allows execution of script of all third party domains for this page. This
is a huge security risk. The user should be able to decide which
additional domains he wants to allow.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17637>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list