Tor fails at Content Security Policy (CSP)
Why can't Tor implement something like Content Security Policy (CSP) and make it possible to stop all injected scripts - even when NoScript allows scripts globally - that can deanonymize users.
It is known that a lot of people allow scripts globally in NoScript, because most sites break without javascript, but because of browser vulnerabilities, javascript allows unauthorized users to exploit visitors and deanonymize them.
Some CSP settings will allow only specific scripts. A script-src 'none' CSP setting can prevent all javascripts on the webpages that enable this setting, even without NoScript. I think this should be the default setting for Tor Hidden Services, because they are constantly the target of unauthorized users that try break into the servers of Tor Hidden Services to inject javascript that exploits visitors browsers and breaks their anonymity.
Looking at other attack factors, I think, it would even be better, if Tor would have a whitelisted script database lookup for each Tor Hidden Services, even before connecting to the Tor Hidden Services. At this database, javascript disallow settings should be defined and signed with a private key. Whitelisted scripts should be hashed using a hash algorithm that is collision resilient enough for years to come and signed with the private key as well. The private key should never be stored on the server. So, even when the unauthorised users get access to the physical servers and change whatever setting they wanted to on that server, even if they try to trick users into disabling NoScript, no scripts will the executed on the client side and the visitors won't lose their anonymity, because of an injected javascript on a breached Tor Hidden Service website.
Trac:
Username: HaronP