[tor-talk] noscript 10.2 default mandatory sites, trusted sites

Joe joebtfsplk at gmx.com
Mon Dec 24 17:10:07 UTC 2018


Thanks Georg.  Thanks for pointing out the noscript-control.js file.  
The path in TBB would be easier.  I'm not sure about no worries.
> No worries, Tor Browser does not trust those sites. I think your
> confusion above stems for a misunderstanding: we use NoScript for a very
> specific purpose, which is for helping us with our Security Slider,
So with NoScript quantum (10.x) in TBB, users that don't want basically 
everything allowed, will have to put Torbutton slider on Safest, then 
pick & choose which 1st or 3rd parties they'll allow, and whether it 
will be temporary or permanent (Trusted).

The NoScript UI is deceiving.  If only the torbutton slider is moved to 
Standard or Safest, after pages load, the NS UI looks exactly the same,  
That is, it shows nothing, either mode.

If TBB / NS is allowing all domains and trackers to load in Torbutton 
Standard (or however many and which), it should show which 1st or 3rd 
parties have been allowed in the NS menu.

Now, there's no indication that every domain has been allowed.  If 
they've been allowed (manually *or automatically*), they should show a 
check mark.
If they've been blocked, it should show that as well.  As is, the 
NoScript UI isn't that useful.



On 12/20/18 2:40 AM, Georg Koppen wrote:
> Joe:
>> Many of these settings aren't brand new (some are fairly new), but I'm
>> not sure how some of these settings are actually used in NoScript.
>> If they are used "as is," or if settings in one file (say, defaults.js)
>> interacts w/ or is overridden by other NS files.  Has anyone seen
>> official explanations how these sites shown as default or trusted
>> actually work in TBB?
>>
>> All of these are from TBB 8.4, noscript 10.2.
>> To see the files / settings, you have to copy or extract the noscript
>> .xpi file to a different location (has an alpha-numeric name:
>> {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from
>> profile.default/browser-extension-data.
>>
>> These are from the NS /legacy/defaults.js file:
>>
>> "mandatory": "[System+Principal] about:about:addons  about:blocked
>> about:certerror  about:config  about:crashes  about:feeds  about:home
>> about:memory  about:neterror  about:plugins  about:preferences
>> about:privatebrowsing  about:sessionrestore  about:srcdoc  about:support
>> about:tabcrashed  blob: chrome: mediasource: moz-extension:
>> moz-safe-about: resource:",
>>    "default":"about:blank about:pocket-saved about:pocket-signup 
>> addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com 
>> bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms 
>> google.com googlevideo.com gstatic.com hotmail.com live.com live.net 
>> maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com 
>> nflxvideo.net noscript.net outlook.com passport.com passport.net 
>> passportimages.com paypal.com paypalobjects.com securecode.com 
>> securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com 
>> yahooapis.com yimg.com youtube.com ytimg.com",
>>
>> Note sites like google.com, googlevideo.com, hotmail.com,
>> maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
>> Are the legacy/default.js sites applied "as is" in TBB?  Where is that
>> explained?
>>
>> If they're allowed as shown, for example, I wouldn't want anything for
>> yahoo & their horrible security record, always enabled by default.
>>
>> The following are from the noscript /common/Policy.js file. I only
>> scratched the surface:
>>
>>   function defaultOptions() {
>>      return {
>>        sites:{
>>          trusted: `addons.mozilla.org
>>            afx.ms ajax.aspnetcdn.com
>>            ajax.googleapis.com bootstrapcdn.com
>>            code.jquery.com firstdata.com firstdata.lv gfx.ms
>>            google.com googlevideo.com gstatic.com
>>            hotmail.com live.com live.net
>>            maps.googleapis.com mozilla.net
>>            netflix.com nflxext.com nflximg.com nflxvideo.net
>>            noscript.net
>>            outlook.com passport.com passport.net passportimages.com
>>            paypal.com paypalobjects.com
>>            securecode.com securesuite.net sfx.ms tinymce.cachefly.net
>>            wlxrs.com
>>            yahoo.com yahooapis.com
>>            yimg.com youtube.com
>> ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
>>          untrusted: [],
>>          custom: {},
>>        },
>>        DEFAULT: new Permissions(["frame", "fetch", "other"]),
>>        TRUSTED: new Permissions(Permissions.ALL),
>>        UNTRUSTED: new Permissions(),
>>        enforced: true,
>>        autoAllowTop: false,
>>      };
>>    }
>> Again, are these used "as is," or is there a reason they're shown here
>> as (always) trusted?
>> Many users wouldn't want some of them Trusted by default - maybe never.
> No worries, Tor Browser does not trust those sites. I think your
> confusion above stems for a misunderstanding: we use NoScript for a very
> specific purpose, which is for helping us with our Security Slider,
> while its default use in any other browser, say Firefox, is a quite
> different one (giving you protections against scripts running etc.).
>
> So, with that in mind looking at the NoScript source alone for
> interfering what it does in Tor Browser is not sufficient. You need at
> least to look at our code controlling NoScript as well.[1]
>
>> Note also - Policy.js shows the Default tab permissions are only
>> supposed to be: "frame, fetch & other."
>> Everytime I start TBB, *ALL permissions* are enabled again under Default
>> tab, not just the 3 shown.  NoScript 10 in Firefox saves custom settings
>> & only has the 3 permissions enabled under Default tab.
> Re: the permissions, yes, that's again because NoScript serves a
> distinct purpose in Tor Browser (which is different from its default
> usage in other browsers).
>
>> This was reported right after NS 10 landed in TBB & still not fixed.
>> Like users aren't supposed to touch them. NoScript saving settings
>> between sessions - if users choose - should be fairly simple.  Most apps
>> outside of TBB allow it.
>> In TBB 8.0 - 8.4, backing up NS settings after changes still doesn't
>> work, but works OK in Firefox.
> That's fixed in our alpha releases, provided you flip a preference.[2]
> We plan to backport that fix, probably to the next stable, but won't
> make it easier to mess with NoScript's settings as the risk to shoot
> oneself in the foot by tweaking/"tuning" NoScript is pretty high.
>
> Georg
>
> [1]
> https://gitweb.torproject.org/torbutton.git/tree/src/modules/noscript-control.js
> [2]https://trac.torproject.org/projects/tor/ticket/27175
>
>



More information about the tor-talk mailing list