[tor-talk] User views on lesser of 2 evils_Tor FAQ on using java script

Joe Btfsplk joebtfsplk at gmx.com
Sat Jul 26 19:26:18 UTC 2014

How do some more advanced Tor users feel about pros & cons of leaving 
java script constantly enabled or selectively enabling it?
The overall java script issue & advice given at different times in 
different places can get confusing.
 From https://www.torproject.org/docs/faq#TBBJavaScriptEnabled:

"There's a tradeoff here. On the one hand, we should *leave JavaScript 
enabled* by default so websites work the way users expect. On the other 
hand, we should *disable JavaScript* by default to better protect 
against browser vulnerabilities ( not just a theoretical concern!). But 
there's a *third issue*: websites can easily determine whether you have 
allowed JavaScript for them, and if you disable JavaScript by default 
but then allow a few websites to run scripts (the way most people use 
NoScript), then your choice of whitelisted websites acts as a sort of 
cookie that makes you recognizable (and distinguishable), thus harming 
your anonymity. "

Unless you're seriously hard core in how you use TBB (visit only sites 
KNOWN not to use JS), you're effectively forced into either
* disabling js completely & not being able to use / see a lot of the net 
(even hard core news sites, etc.) - that's bad.
* selectively enabling js - which the FAQ says is also bad.
* leaving js on 100%.  Which is also said to be bad.

Yes, I understand what happens with & w/o JS, as to sites detecting info 
(if interested).  The issue is being "...between a rock & a hard place."
Seems we must make a choice:  Whether more concerned about "some" sites 
detecting JS is DISabled, while others detect it's ENabled (& 
presumably, these sites are jointly owned, or all share info or 3rd 
party trackers are advanced enough to ID even a "stock" Torbrowser, from 
one site to another).

If one or more of the latter 3 scenarios isn't true (or something 
similar), then one site detecting JS is off & another detecting it's on, 
isn't an issue.

Seems the advice given in different areas may conflict.  There are a 
good many advanced users not in favor of having JS enabled by default in 
Unless they *only* visit JS free sites, they're forced to selectively 
enable it, unless don't care about broken sites.

But, enabling JS allows sites (that try) to get FAR more browser / 
system info than if it's disabled.
So, is it, "damned if I do, damned if I don't?"

More information about the tor-talk mailing list