[tor-talk] noscript 10.2 default mandatory sites, trusted sites

Thu Dec 20 08:40:00 UTC 2018

Joe:
> Many of these settings aren't brand new (some are fairly new), but I'm
> not sure how some of these settings are actually used in NoScript.
> If they are used "as is," or if settings in one file (say, defaults.js)
> interacts w/ or is overridden by other NS files.  Has anyone seen
> official explanations how these sites shown as default or trusted
> actually work in TBB?
> 
> All of these are from TBB 8.4, noscript 10.2.
> To see the files / settings, you have to copy or extract the noscript
> .xpi file to a different location (has an alpha-numeric name:
> {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from
> profile.default/browser-extension-data.
> 
> These are from the NS /legacy/defaults.js file:
> 
> "mandatory": "[System+Principal] about: about:addons about:blocked
> about:certerror about:config about:crashes about:feeds about:home
> about:memory about:neterror about:plugins about:preferences
> about:privatebrowsing about:sessionrestore about:srcdoc about:support
> about:tabcrashed blob: chrome: mediasource: moz-extension:
> moz-safe-about: resource:",
>   "default": "about:blank about:pocket-saved about:pocket-signup
> addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com
> bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms
> google.com googlevideo.com gstatic.com hotmail.com live.com live.net
> maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com
> nflxvideo.net noscript.net outlook.com passport.com passport.net
> passportimages.com paypal.com paypalobjects.com securecode.com
> securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com
> yahooapis.com yimg.com youtube.com ytimg.com",
> 
> Note sites like google.com, googlevideo.com, hotmail.com,
> maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
> Are the legacy/default.js sites applied "as is" in TBB?  Where is that
> explained?
> 
> If they're allowed as shown, for example, I wouldn't want anything for
> yahoo & their horrible security record, always enabled by default.
> 
> The following are from the noscript /common/Policy.js file. I only
> scratched the surface:
> 
>  function defaultOptions() {
>     return {
>       sites:{
>         trusted: `addons.mozilla.org
>           afx.ms ajax.aspnetcdn.com
>           ajax.googleapis.com bootstrapcdn.com
>           code.jquery.com firstdata.com firstdata.lv gfx.ms
>           google.com googlevideo.com gstatic.com
>           hotmail.com live.com live.net
>           maps.googleapis.com mozilla.net
>           netflix.com nflxext.com nflximg.com nflxvideo.net
>           noscript.net
>           outlook.com passport.com passport.net passportimages.com
>           paypal.com paypalobjects.com
>           securecode.com securesuite.net sfx.ms tinymce.cachefly.net
>           wlxrs.com
>           yahoo.com yahooapis.com
>           yimg.com youtube.com
> ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
>         untrusted: [],
>         custom: {},
>       },
>       DEFAULT: new Permissions(["frame", "fetch", "other"]),
>       TRUSTED: new Permissions(Permissions.ALL),
>       UNTRUSTED: new Permissions(),
>       enforced: true,
>       autoAllowTop: false,
>     };
>   }
> Again, are these used "as is," or is there a reason they're shown here
> as (always) trusted?
> Many users wouldn't want some of them Trusted by default - maybe never.

No worries, Tor Browser does not trust those sites. I think your
confusion above stems for a misunderstanding: we use NoScript for a very
specific purpose, which is for helping us with our Security Slider,
while its default use in any other browser, say Firefox, is a quite
different one (giving you protections against scripts running etc.).

So, with that in mind looking at the NoScript source alone for
interfering what it does in Tor Browser is not sufficient. You need at
least to look at our code controlling NoScript as well.[1]

> Note also - Policy.js shows the Default tab permissions are only
> supposed to be: "frame, fetch & other."
> Everytime I start TBB, *ALL permissions* are enabled again under Default
> tab, not just the 3 shown.  NoScript 10 in Firefox saves custom settings
> & only has the 3 permissions enabled under Default tab.

Re: the permissions, yes, that's again because NoScript serves a
distinct purpose in Tor Browser (which is different from its default
usage in other browsers).

> This was reported right after NS 10 landed in TBB & still not fixed. 
> Like users aren't supposed to touch them. NoScript saving settings
> between sessions - if users choose - should be fairly simple.  Most apps
> outside of TBB allow it.
> In TBB 8.0 - 8.4, backing up NS settings after changes still doesn't
> work, but works OK in Firefox.

That's fixed in our alpha releases, provided you flip a preference.[2]
We plan to backport that fix, probably to the next stable, but won't
make it easier to mess with NoScript's settings as the risk to shoot
oneself in the foot by tweaking/"tuning" NoScript is pretty high.

Georg

[1]
https://gitweb.torproject.org/torbutton.git/tree/src/modules/noscript-control.js
[2] https://trac.torproject.org/projects/tor/ticket/27175

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20181220/bce482da/attachment.sig>