[tor-bugs] #3975 [Tor Browser]: NoScript is not configured to "Forbid "Web Bugs"" on "Untrusted" web sites

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Sep 10 03:44:40 UTC 2011


#3975: NoScript is not configured to "Forbid "Web Bugs"" on "Untrusted" web sites
-------------------------+--------------------------------------------------
 Reporter:  joyton       |          Owner:  mikeperry
     Type:  defect       |         Status:  new      
 Priority:  normal       |      Milestone:           
Component:  Tor Browser  |        Version:           
 Keywords:               |         Parent:           
   Points:               |   Actualpoints:           
-------------------------+--------------------------------------------------

Comment(by mikeperry):

 By default we try to use NoScript in a minimal sense, because we don't
 believe in a filter-based approach to security. We never enabled this
 particular option because what the hell is a "Web Bug"? I imagine it is a
 0x0 hidden pixel element. However, there could also be a broader
 definition that covers any number of items. For example, if everyone in
 the world blocked "Web bugs", those using them to undermine privacy would
 simply move to a new technique (such as empty CSS style sheets, or
 XMLHTTPRequest pings, or ???). Then, NoScript would have to block that.
 The leads to an escalating scenario where more and more web content types
 get blocked.

 Sure, the "Block Web Bugs" checkbox probably doesn't damage much on the
 web now, but
 clicking the checkbox commits us to the fallout of whatever arms race
 ensues for it that the NoScript guy has to fight.

 Instead, we have opted to prevent third party content elements from being
 able to transmit linkabile identifiers in the first place. See:
 https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-
 track-vs-real-privacy-design

 Also, you may want to track #3812 if these decisions interest you.

 I like your other bugs though, very glad to have the help!

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3975#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list