[tor-bugs] #30570 [Applications/Tor Browser]: Implement per-site security settings support

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 9 17:40:49 UTC 2019


#30570: Implement per-site security settings support
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  ux-team                   |  Actual Points:
Parent ID:  #25658                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor9
--------------------------------------+--------------------------

Comment (by torlove):

 Thanks for opening this ticket, gk. Good to see that there is a sponsor
 for this.

 The document referred to above:
 https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101
 -security-controls-redesign.txt

 As I have said in another ticket:

 "It is a good document, whatever we can do to make things easier for
 beginners is good.

 There are two items discussed in the resource above that have not been
 done.

 1) Educating the user about the changes.

 Although it was not part of the scope of the document the author clearly
 states that this is an area that requires attention. It is important to
 tell users of impending changes, and to inform a user when a change is
 implemented. The home screen is the best place to do that.

 2) Moving per-site js permissions (NoScript) too the URL bar:

 In my opinion, NoScript should be moved to the URL bar to the right of the
 "Toggle Reader View" button. The icon should be one that suggests code or
 scripting, either:

 a) a tiny backslash inside angled brackets, or
 b) the standby/power symbol (​https://www.symbols.com/symbol/standby-
 symbol), or
 c) a gear icon with JS written lightly inside.

 Alongside the icon should be a small tag with the number of js domains
 blocked having a strike-though. The number of approved js domains used by
 the page would not have a strike-though.

 NoScript needs to continue being one click away because when a
 page/document loads and the JS is blocked there is no way to re-trigger
 the page load event. So there are times when the user must access NoScript
 after multiple page load events. Typically two page loads are needed, but
 I have seen websites where five page loads are needed. The user needs to
 repeat this process for a domain every time they restart Tor browser.

 In the interests of educating the user, after restarting the browser we
 might inform the user that editing the permissions may make fingerprinting
 easier. Especially if you repeatedly use the same settings.

 Furthermore, in terms of simplifying the toolbar, the 'three dot icon' is
 redundant. The three options a user gets is:

 - Bookmark this page (the user already has a bookmark button)
 - Copy link.
 - Email link.

 None of these options add value, I'd much rather dedicate the space to the
 NoScript icon and subsequent tag.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30570#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list