[tor-talk] problem reinstalling NoScript

Joe Btfsplk joebtfsplk at gmx.com
Thu Oct 6 05:16:43 UTC 2016


On 10/4/2016 11:50 PM, krishna e bera wrote:
> On 04/10/16 10:03 PM, Joe Btfsplk wrote:
>> In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving.
>> It wasn't showing many trackers in the icon drop list, on sites where
>> there would be plenty.
>> I UNchecked "Allow Scripts Globally."
>>
>> I uninstalled it - closed TBB.  Removed  NoScript entries in pref.js &
>> restarted TBB, then reinstalled fresh NS copy - 2 separate times.
>> Didn't fix it.
> Without seeing whatever was left in your TBB folder from previous
> self-updates and from other add-ons or from data saved during sessions,
> it is difficult to figure out what is going on.
>
> I gave up trying to manage separate addons and settings in TBB long ago
> because the interactions between parts is complex and more importantly
> every bug that came up could be fixed by
> removing the whole TBB directory and starting from scratch.
I see what it is now, that was allowing all 3rd party scripts, while 
scripts for the base domain were blocked.  It's a NoScript setting that 
Tor devs put in the \Tor 
Browser\Browser\TorBrowser\Data\Browser\profile.default\preference\extension-overrides.js 
file.

They enable the Pref "NoScript.CascadePermissions" - that corresponds to 
Options > Advanced > Trusted - *"Cascade top document's permissions to 
3rd party scripts."*
In NoScript, it's disabled by default.
Note:  The section title for these options is "Additional permissions 
for TRUSTED sites."

If you have scripts blocked globally, or just one base domain has 
scripts *blocked*, AND the option "Cascade...permissions..." is 
*checked*, scripts from the base domain are blocked but it allows ALL 
3rd party scripts, even though the base domain is still blocked.

I doubt this is how most users expect this to work.  I'm not sure Tor 
devs knew it works this way, when the base domain is blocked.
I hope they didn't know & didn't do this intentionally.

Even though the section says the settings are for "trusted" sites. I 
think this is a bug of sorts.  Off hand, I can't think of a reason to 
block base domain scripts but allow all 3rd party.  The main site 
probably won't work anyway.

If you *block* the base domain, then it's not trusted, in this context.
In that case, all 3rd party scripts below it should also be blocked.  
Seems logical that Cascading the permissions should be dependent on base 
domain being allowed (trusted).  Lots of prefs are dependent on other 
conditions being met, or else the pref is inactive.




More information about the tor-talk mailing list