[tor-bugs] #27881 [Applications/Tor Browser]: NoScript initial configuration bug?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 9 23:02:17 UTC 2019 

#27881: NoScript initial configuration bug?
--------------------------------------+---------------------------
 Reporter:  simplestuf                |          Owner:  (none)
     Type:  defect                    |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  not a bug
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by simple):

 > > There is no 'safer', 'safest' or 'standard' security modes that I can
 see within the noscript settings, or within Tor Browser Preferences under
 'General' or 'Privacy and Security'. If your 'standard' security mode does
 exist somewhere, it does not correspond with noscript's default values as
 obtained by pressing the 'reset' button in noscript preferences.
 >
 > You can find the security slider behind the onion toolbar item ->
 Security Settings... We are currently in the process of redesigning that
 part to make it both available on the toolbar and the Firefox preferences,
 see #25658.
 >
 > And, yes, the intention is not to emulate or use NoScript's default
 settings.
 >

 Thanks for the info.

 > > Also, this is a change that took place under a fairly recent Tor
 Browser update: Tor Browser didn't previously start in this insecure
 noscript initial state.
 >
 > It always started in a non-default mode, e.g. with scripts enabled etc.
 The particular way of the initial state might have changed with the
 NoScript WebExtensions version but, as I said, that's not relevant for us
 as we need NoScript mainly for managaing our "safer" and "safest" modes.

 Previously I could trust Tor Browser to have noscript active from the
 outset, and I think this would be everyone's expectation. Putting the
 browser in an insecure default state where noscript misleadingly does
 absolutely nothing is a bad decision. If anyone was using the browser to
 do anything that actually required some degree of privacy or security, the
 update discussed above would have seriously compromised them.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27881#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list