NoScript in Tor-Browser allows all third party domains
Tor-Browser 5.0.4 comes with NoScript installed by default. However, the NoScript is either defective or misconfigured by default. When I allow script execution for the top-level domain, then NoScript automatically allows execution of script of all third party domains for this page. This is a huge security risk. The user should be able to decide which additional domains he wants to allow.
Trac:
Username: ctbu