[tor-talk] UI/UX/security. Per-site security settings in Tor Browser?
jonathan.femideer at autistici.org
Wed Mar 1 23:36:54 UTC 2017
In Tor Browser 6.5, is there a way to choose per-site security settings?
Ideally, from a security perspective, users would be able to use the
"High" setting, and this would *just work* on all sites. (Onion >
Security Settings > High.)
However, some websites, and some webmail clients, are built in a way
and webmail clients, the only two options seem to be:
1. Change the browser security settings (Onion > Security Settings >
2. Click NoScript icon > "Temporarily allow all this page".
These both have disadvantages. Respectively:
1. If the user subsequently opens a new tab to visit a different
website, this will now only be at the Medium security setting instead of
the High setting, even if this latter website would work fine with the
High setting. So the user's security gets reduced on the new site,
unnecessarily. Alternatively, if the user is keeping one or more tabs
open for the first site, while using other tabs to browse other sites
that are less trusted or don't require the Medium setting, then the user
has to keep adjusting the browser security level each time they want to
interact with the first site in one of those tabs. TL;DR: switching tabs
shouldn't require changing security settings to make the contents of
those tabs function.
2. "Temporarily allow all this page" seems to be less secure than the
Medium security setting. A user might trust a website (or *need* to use
it) just enough to be willing to reduce the security level to Medium in
order to make it function, but no lower than that. "Temporarily allow
all this page" seems to be more like reducing the security level for
that site to Low.
So, is there a way for the user to keep the security level at High for
all sites except for a few specific sites, and to set the latter to
N.B. I have not yet encountered any websites that require the security
level to be set to Low, but perhaps such websites do exist. If so, then
please consider my question to extend to allowing a per-site setting of
Low for those websites.
More information about the tor-talk