Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#17637 closed defect (wontfix)

NoScript in Tor-Browser allows all third party domains

Reported by: ctbu Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Tor-Browser 5.0.4 comes with NoScript installed by default. However, the NoScript is either defective or misconfigured by default. When I allow script execution for the top-level domain, then NoScript automatically allows execution of script of all third party domains for this page. This is a huge security risk. The user should be able to decide which additional domains he wants to allow.

Child Tickets

Attachments (3)

Screenshot-Privacy and Security Settings.png (46.1 KB) - added by ctbu 4 years ago.
Screenshot_normal_noscript.png (61.2 KB) - added by ctbu 4 years ago.
NoScript in normal browser; shows all subdomains
Screenshot_tor_noscript.png (25.7 KB) - added by ctbu 4 years ago.
NoScript of same site, but in Tor-Browser; no subdomains listed

Download all attachments as: .zip

Change History (11)

comment:1 Changed 4 years ago by gk

Priority: ImmediateMedium
Severity: CriticalNormal
Status: newneeds_information

Could you explain what you are doing exactly in order to reproduce your problem? Do you have the security slider set to a non-default level?

comment:2 Changed 4 years ago by ctbu

I am not doing anything to reproduce it. The browser shipped this way. I just click on the NoScript logo, then on 'temporarily allow top-level domain' and when the site is reloaded all subdomains/3rd-party domains are allowed, too. E.g., if a site has an embedded YouTube video and I want allow only the current site then, on reload, the YouTube video can be played, too, although I did not allow it explicitly.
I have attached a screenshot of my security settings. I never changed them.

I am further attaching two screenshots of what NoScript displays when I browse a site with a "normal" browser and what is being displayed when I browse the same site with Tor-Browser.

Last edited 4 years ago by ctbu (previous) (diff)

Changed 4 years ago by ctbu

NoScript in normal browser; shows all subdomains

Changed 4 years ago by ctbu

Attachment: Screenshot_tor_noscript.png added

NoScript of same site, but in Tor-Browser; no subdomains listed

comment:3 Changed 4 years ago by ctbu

Resolution: worksforme
Status: needs_informationclosed

After going through all the options I finally found the setting to correct this behavior.
Under Options->Advanced->Trusted untick "Cascade top document's permissions to 3rd party scripts'.
Now every subdomain can be allowed/disallowed individually. This should be the default behavior.
This setting should not be checked by default out of convenience. The Tor Homepage encourages the user to not just trust on Tor to magically anonymize his traffic, but to actively read up on the material and change his browsing behavior. Therefore, the user should also engage himself in handling NoScript.

I also noticed that NoScript is initially deactivated in Tor-Browser. Maybe this should also be changed in upcoming releases.

comment:4 Changed 3 years ago by bugzilla

Keywords: Tor-Browser removed
Resolution: worksforme
Status: closedreopened

Hmm, OP described the problem and closed the ticket...
Good conclusions are in comment:3. This setting in High when enabling JS leads to worse security than in Medium-High...

comment:5 Changed 3 years ago by gk

Keywords: NoScript removed
Resolution: wontfix
Status: reopenedclosed

Cascading the permissions is intented, thus fixing that behavior is WONTFIX.

comment:6 Changed 3 years ago by bugzilla

Keywords: noscript added

Then we need an answer from Giorgio whether this behavior is intended or could be improved.

comment:7 Changed 3 years ago by gk

No need to bother Giorgio. I already said that this behavior is intended: if one checks the cascading permissions option then one wants to get it I guess.

comment:8 Changed 3 years ago by bugzilla

Giorgio could explain to you why this option is no good and disabled by default in NoScript. Who is that one that checked the cascading permissions option by default in TBB?

Note: See TracTickets for help on using tickets.