[tbb-bugs] #27175 [Applications/Tor Browser]: NoScript plugin does not save per-site permissions/settings when tor browser closes

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 13 23:47:20 UTC 2018


#27175: NoScript plugin does not save per-site permissions/settings when tor
browser closes
-------------------------------------------------+-------------------------
 Reporter:  tor-user-1234                        |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  noscript, tbb-regression,            |  Actual Points:
  tbb-8.0-issues                                 |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:8 gk]:
 > Replying to [comment:7 arthuredelstein]:
 > > It is possible to implement a modified security slider mechanism that
 would allow NoScript to retain per-site settings. But the question is
 whether it is actually desirable to do this, as saving per-site settings
 would (1) violate disk hygiene and (2) serve as a long-term fingerprinting
 vulnerability (at least, as long as NoScript is not first-party isolated).
 >
 > So, you are arguing that this is a feature of Tor Browser 8 and we
 should keep the status quo?

 Well, feature is too strong a word because it happened more or less
 incidentally as a result of NoScript's new architecture. :) And given the
 current UI of NoScript, it's very confusing to users because it looks as
 though per-site settings in NoScript should persist.

 But, yes, I am very hesitant to give users the means to persist their per-
 site settings, especially when the per-site settings are not first-party
 isolated. If a user decides to whitelist Google, then every website that
 embeds a Google ad can detect this. I am even worried about an opt-in
 solution because users often don't properly understand the downsides.

 At the same time, I also sympathize with donnm's comment:9 that it is
 inconvenient to have to redo per-site settings each time Tor Browser is
 restarted.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27175#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list