[tor-bugs] #27881 [Applications/Tor Browser]: NoScript initial configuration bug?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 9 11:49:17 UTC 2019 

#27881: NoScript initial configuration bug?
--------------------------------------+---------------------------
 Reporter:  simplestuf                |          Owner:  (none)
     Type:  defect                    |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  not a bug
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by gk):

 Replying to [comment:6 simple]:
 > Replying to [comment:5 gk]:
 > > Replying to [comment:4 simple]:
 > > > Replying to [comment:2 gk]:
 > > > > What exactly is the bug report about here? (I am confused and it
 seems to me there is more than one issue complained about in the
 description.)
 > > >
 > > > When tor browser is opened, no sites are listed as 'Untrusted' and
 'Default' sites (which is every site) have everything allowed. Hence
 Noscript is completely useless unless one bothers to look into the
 settings and fix things up before starting to browse.
 > >
 > > That's not a bug but expected. We use NoScript to get the properties
 of our "safer" and "safest" security mode we want. On the level "standard"
 you should get the most usable browsing experience, which means the least
 amount of website breakage due to disabled features we can provide.
 >
 > There is no 'safer', 'safest' or 'standard' security modes that I can
 see within the noscript settings, or within Tor Browser Preferences under
 'General' or 'Privacy and Security'. If your 'standard' security mode does
 exist somewhere, it does not correspond with noscript's default values as
 obtained by pressing the 'reset' button in noscript preferences.

 You can find the security slider behind the onion toolbar item -> Security
 Settings... We are currently in the process of redesigning that part to
 make it both available on the toolbar and the Firefox preferences, see
 #25658.

 And, yes, the intention is not to emulate or use NoScript's default
 settings.

 > Also, this is a change that took place under a fairly recent Tor Browser
 update: Tor Browser didn't previously start in this insecure noscript
 initial state.

 It always started in a non-default mode, e.g. with scripts enabled etc.
 The particular way of the initial state might have changed with the
 NoScript WebExtensions version but, as I said, that's not relevant for us
 as we need NoScript mainly for managaing our "safer" and "safest" modes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27881#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list