[tor-bugs] #30570 [Applications/Tor Browser]: Implement per-site security settings support
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 9 17:40:49 UTC 2019
#30570: Implement per-site security settings support
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team | Actual Points:
Parent ID: #25658 | Points:
Reviewer: | Sponsor: Sponsor9
--------------------------------------+--------------------------
Comment (by torlove):
Thanks for opening this ticket, gk. Good to see that there is a sponsor
for this.
The document referred to above:
https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101
-security-controls-redesign.txt
As I have said in another ticket:
"It is a good document, whatever we can do to make things easier for
beginners is good.
There are two items discussed in the resource above that have not been
done.
1) Educating the user about the changes.
Although it was not part of the scope of the document the author clearly
states that this is an area that requires attention. It is important to
tell users of impending changes, and to inform a user when a change is
implemented. The home screen is the best place to do that.
2) Moving per-site js permissions (NoScript) too the URL bar:
In my opinion, NoScript should be moved to the URL bar to the right of the
"Toggle Reader View" button. The icon should be one that suggests code or
scripting, either:
a) a tiny backslash inside angled brackets, or
b) the standby/power symbol (https://www.symbols.com/symbol/standby-
symbol), or
c) a gear icon with JS written lightly inside.
Alongside the icon should be a small tag with the number of js domains
blocked having a strike-though. The number of approved js domains used by
the page would not have a strike-though.
NoScript needs to continue being one click away because when a
page/document loads and the JS is blocked there is no way to re-trigger
the page load event. So there are times when the user must access NoScript
after multiple page load events. Typically two page loads are needed, but
I have seen websites where five page loads are needed. The user needs to
repeat this process for a domain every time they restart Tor browser.
In the interests of educating the user, after restarting the browser we
might inform the user that editing the permissions may make fingerprinting
easier. Especially if you repeatedly use the same settings.
Furthermore, in terms of simplifying the toolbar, the 'three dot icon' is
redundant. The three options a user gets is:
- Bookmark this page (the user already has a bookmark button)
- Copy link.
- Email link.
None of these options add value, I'd much rather dedicate the space to the
NoScript icon and subsequent tag.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30570#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list