[tor-bugs] #20366 [Applications]: NoScript allows all 3rd party scripts when base domain is blocked
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 14 23:09:50 UTC 2016
#20366: NoScript allows all 3rd party scripts when base domain is blocked
------------------------------+------------------------------------------
Reporter: joebt | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications | Version:
Severity: Normal | Keywords: NoScript, Cascade, 3rd party
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+------------------------------------------
An odd behavior if "Cascade top document's permissions to 3rd party
scripts" is enabled in Advanced > Trusted tab.
* With this enabled, even when the base domain - top document - is
intentionally blocked, NoScript still allows all 3rd party scripts. I
think this is incorrect behavior and not what users expect, when base
domains are still blocked.
Then it lists the 3rd party sites under NS menu "Untrusted" group - but
not marked untrusted. Normally, when 3rd party sites are allowed, they're
listed in main menuĀ (where users can see them), with the option to Forbid
individual sites.
At best, it makes no sense to load 3rd party scripts - or show them as
loaded, when the base domain is blocked.
It's also confusing and misleading, based on NoScript's verbiage on this
option's page. It seems a waste of time, bandwidth to load 3rd party
scripts if they're not going to be used. At worst, a 3rd party developer
learns to exploit 3rd party scripts being loaded when base domains are
blocked.
* The description in Trusted tab is, "Additional permissions for
'''trusted''' sites."
Keyword being "Trusted." Blocking the base domain implies it is not
trusted.
* The option is called, "Cascade top document's '''permissions...."
'''If the top document's permission status is __blocked__, then it's doing
the opposite of its current permissions. Only load 3rd party scripts if a
base domain is allowed.
Tor Project opted to override [wiki:NoScriptallowing NoScript]allowing
some 3rd parties by default, via the extension-overrides.js file; e.g.,
google.dom gstatic.dom ajax.googleapis.dom, etc. But the Cascade option
allows all 3rd party scripts when users have chosen not to allow scripts
on the current page.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20366>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list