[tbb-bugs] #27175 [Applications/Tor Browser]: NoScript plugin does not save per-site permissions/settings when tor browser closes

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 14 03:19:32 UTC 2018 

#27175: NoScript plugin does not save per-site permissions/settings when tor
browser closes
-------------------------------------------------+-------------------------
 Reporter:  tor-user-1234                        |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  noscript, tbb-regression,            |  Actual Points:
  tbb-8.0-issues                                 |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by cypherpunks_reply):

 Only some comments:

 Replying to [comment:10 arthuredelstein]:
 > But, yes, I am very hesitant to give users the means to persist their
 per-site settings, especially when the per-site settings are not first-
 party isolated.
 ABE in NoScript 5 was able to implement first-party-keyed policy.
 > If a user decides to whitelist Google, then every website that embeds a
 Google ad can detect this. I am even worried about an opt-in solution
 because users often don't properly understand the downsides.
 It also had this "Block scripting in whitelisted subdocuments of non-
 whitelisted pages" setting, which is not first-party isolation/keying but
 related (and I think similar to the kind of problem decomposition used by
 uMatrix). I wonder how it's handled now.
 > At the same time, I also sympathize with donnm's comment:9 that it is
 inconvenient to have to redo per-site settings each time Tor Browser is
 restarted.
 I use the highest level in torbutton slider and I don't care about
 persisting the per-site policy, I always keep the whitelist empty and only
 very seldom use temporary permissions which are revoked once done with the
 page Certainly "new identity" must also at least clear all temporary
 permissions. However, there were at least in NoScript 5 many other
 configuration knobs that applied globally and which I used to tighten with
 respect to vanilla TOr Browser (yes, I know that changed my profile).
 Maybe there should be a way to persist at least that kind of settings.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27175#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list