[tor-bugs] #20366 [Applications]: NoScript allows all 3rd party scripts when base domain is blocked

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 14 23:09:50 UTC 2016

#20366: NoScript allows all 3rd party scripts when base domain is blocked
     Reporter:  joebt         |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Applications  |    Version:
     Severity:  Normal        |   Keywords:  NoScript, Cascade, 3rd party
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
 An odd behavior if "Cascade top document's permissions to 3rd party
 scripts" is enabled in Advanced > Trusted tab.

  * With this enabled, even when the base domain - top document - is
 intentionally blocked, NoScript still allows all 3rd party scripts.  I
 think this is incorrect behavior and not what users expect, when base
 domains are still blocked.

 Then it lists the 3rd party sites under NS menu "Untrusted" group - but
 not marked untrusted.  Normally, when 3rd party sites are allowed, they're
 listed in main menuĀ  (where users can see them), with the option to Forbid
 individual sites.

 At best, it makes no sense to load 3rd party scripts - or show them as
 loaded, when the base domain is blocked.
 It's also confusing and misleading, based on NoScript's verbiage on this
 option's page.  It seems a waste of time, bandwidth to load 3rd party
 scripts if they're not going to be used.  At worst, a 3rd party developer
 learns to exploit 3rd party scripts being loaded when base domains are

  * The description in Trusted tab is, "Additional permissions for
 '''trusted''' sites."

   Keyword being "Trusted."  Blocking the base domain implies it is not

  * The option is called, "Cascade top document's '''permissions...."
 '''If the top document's permission status is __blocked__, then it's doing
 the opposite of its current permissions.  Only load 3rd party scripts if a
 base domain is allowed.

 Tor Project opted to override [wiki:NoScriptallowing NoScript]allowing
 some 3rd parties by default, via the extension-overrides.js file; e.g.,
 google.dom gstatic.dom ajax.googleapis.dom, etc.  But the Cascade option
 allows all 3rd party scripts when users have chosen not to allow scripts
 on the current page.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20366>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list