NoScript in Tor-Browser allows all third party domains

Tor-Browser 5.0.4 comes with NoScript installed by default. However, the NoScript is either defective or misconfigured by default. When I allow script execution for the top-level domain, then NoScript automatically allows execution of script of all third party domains for this page. This is a huge security risk. The user should be able to decide which additional domains he wants to allow.

Trac:
Username: ctbu

added component::applications/tor browser noscript owner::tbb-team priority::medium reporter::ctbu resolution::wontfix severity::normal status::closed type::defect labels

Could you explain what you are doing exactly in order to reproduce your problem? Do you have the security slider set to a non-default level?

Trac:
Severity: Critical to Normal
Status: new to needs_information
Priority: Immediate to Medium

Trac:
Username: ctbu

Trac:
Username: ctbu

I am not doing anything to reproduce it. The browser shipped this way. I just click on the NoScript logo, then on 'temporarily allow top-level domain' and when the site is reloaded all subdomains/3rd-party domains are allowed, too. E.g., if a site has an embedded YouTube video and I want allow only the current site then, on reload, the YouTube video can be played, too, although I did not allow it explicitly. I have attached a screenshot of my security settings. I never changed them.

EDIT: I am further attaching two screenshots of what NoScript displays when I browse a site with a "normal" browser and what is being displayed when I browse the same site with Tor-Browser.

Trac:
Username: ctbu

Trac:
Username: ctbu

NoScript in normal browser; shows all subdomains

Trac:
Username: ctbu

Trac:
Username: ctbu

NoScript of same site, but in Tor-Browser; no subdomains listed

Trac:
Username: ctbu

After going through all the options I finally found the setting to correct this behavior. Under Options->Advanced->Trusted untick "Cascade top document's permissions to 3rd party scripts'. Now every subdomain can be allowed/disallowed individually. This should be the default behavior. This setting should not be checked by default out of convenience. The Tor Homepage encourages the user to not just trust on Tor to magically anonymize his traffic, but to actively read up on the material and change his browsing behavior. Therefore, the user should also engage himself in handling NoScript.

PS: I also noticed that NoScript is initially deactivated in Tor-Browser. Maybe this should also be changed in upcoming releases.

Trac:
Username: ctbu
Status: needs_information to closed
Resolution: N/A to worksforme

Hmm, OP described the problem and closed the ticket... Good conclusions are in comment:3. This setting in High when enabling JS leads to worse security than in Medium-High...

Trac:
Resolution: worksforme to N/A
Keywords: Tor-Browser NoScript deleted, NoScript added
Reviewer: N/A to N/A
Status: closed to reopened

Cascading the permissions is intented, thus fixing that behavior is WONTFIX.

Trac:
Resolution: N/A to wontfix
Status: reopened to closed
Keywords: NoScript deleted, N/A added

Then we need an answer from Giorgio whether this behavior is intended or could be improved.

Trac:
Keywords: N/A deleted, noscript added

No need to bother Giorgio. I already said that this behavior is intended: if one checks the cascading permissions option then one wants to get it I guess.

Giorgio could explain to you why this option is no good and disabled by default in NoScript. Who is that one that checked the cascading permissions option by default in TBB?

closed

mentioned in issue #20264 (moved)

moved to tpo/applications/tor-browser#17637 (closed)