[tor-bugs] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 19 07:59:14 UTC 2019


#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
-----------------------+------------------------------------------
 Reporter:  adrelanos  |          Owner:  tbb-team
     Type:  defect     |         Status:  new
 Priority:  Medium     |      Component:  Applications/Tor Browser
  Version:             |       Severity:  Normal
 Keywords:             |  Actual Points:
Parent ID:             |         Points:
 Reviewer:             |        Sponsor:
-----------------------+------------------------------------------
 Noscript, file

 {{{
 {73a6fe31-595d-460b-a920-fcc0f8843232}
 }}}

 full path

 {{{
 tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser-
 extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232}
 }}}

 when extracted contains file

 {{{
 common/Policy.js
 }}}

 which contains a list of websites.

 {{{
 addons.mozilla.org
 afx.ms ajax.aspnetcdn.com
 ajax.googleapis.com bootstrapcdn.com
 code.jquery.com firstdata.com firstdata.lv gfx.ms
 google.com googlevideo.com gstatic.com
 hotmail.com live.com live.net
 maps.googleapis.com mozilla.net
 netflix.com nflxext.com nflximg.com nflxvideo.net
 noscript.net
 outlook.com passport.com passport.net passportimages.com
 paypal.com paypalobjects.com
 securecode.com securesuite.net sfx.ms tinymce.cachefly.net
 wlxrs.com
 yahoo.com yahooapis.com
 yimg.com youtube.com ytimg.com
 }}}

 Related source code:

 {{{
   function defaultOptions() {
     return {
       sites:{
         trusted
 }}}

 File

 {{{
 legacy/defaults.js
 }}}

 is similar.

 Under [https://forums.whonix.org/t/noscript-with-security-slider-at-
 safest-permits-around-30-sites/8160 conditions] which are not clear to be
 yet how to reproduce this can lead to white listing these websites in
 noscript even though Tor Browser security slider is set to maximum.

 It's arguable if addons.mozilla.org should be whitelisted by default (I
 won't argue about it) but for sure netflix, paypal, youtube and others
 don't deserve special treatment by Tor Browser. Obvious tracking and
 security risk.

 Looks like pressing the reset button in noscript also results in setting
 these websites to trusted by default in noscript.

 Therefore, please kindly consider to remove that whitelist from noscript.

 Additional suggestions:

 * Have a unit test that greps the source code for (these) websites so
 these aren't reintroduced in later (noscript) add-on versions.
 * Report to upstream (noscript).

 Related:

 https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-
 zendcdn-net/

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31798>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list