[tor-talk] UI/UX/security. Per-site security settings in Tor Browser?

Jonathan Femideer jonathan.femideer at autistici.org
Wed Mar 1 23:36:54 UTC 2017 

In Tor Browser 6.5, is there a way to choose per-site security settings?

Ideally, from a security perspective, users would be able to use the 
"High" setting, and this would *just work* on all sites. (Onion > 
Security Settings > High.)

However, some websites, and some webmail clients, are built in a way 
that requires the user to execute some JavaScript. For these websites 
and webmail clients, the only two options seem to be:

1. Change the browser security settings (Onion > Security Settings > 
Medium).

2. Click NoScript icon > "Temporarily allow all this page".

These both have disadvantages. Respectively:

1. If the user subsequently opens a new tab to visit a different 
website, this will now only be at the Medium security setting instead of 
the High setting, even if this latter website would work fine with the 
High setting. So the user's security gets reduced on the new site, 
unnecessarily. Alternatively, if the user is keeping one or more tabs 
open for the first site, while using other tabs to browse other sites 
that are less trusted or don't require the Medium setting, then the user 
has to keep adjusting the browser security level each time they want to 
interact with the first site in one of those tabs. TL;DR: switching tabs 
shouldn't require changing security settings to make the contents of 
those tabs function.

2. "Temporarily allow all this page" seems to be less secure than the 
Medium security setting. A user might trust a website (or *need* to use 
it) just enough to be willing to reduce the security level to Medium in 
order to make it function, but no lower than that. "Temporarily allow 
all this page" seems to be more like reducing the security level for 
that site to Low.

So, is there a way for the user to keep the security level at High for 
all sites except for a few specific sites, and to set the latter to 
Medium?

N.B. I have not yet encountered any websites that require the security 
level to be set to Low, but perhaps such websites do exist. If so, then 
please consider my question to extend to allowing a per-site setting of 
Low for those websites.

More information about the tor-talk mailing list