NoScript plugin does not save per-site permissions/settings when tor browser closes

When I re-open the TOR Browser, any of the previously saved NoScript plugin per-site permissions are gone and I have to set all per-site permissions again.

It seems that the NoScript plugin settings are not saved when the TOR Browser closes. Those settings need to be saved if the user does NOT choose "private browsing mode" nor "clear history" in the TOR Browser settings.

Trac:
Username: tor-user-1234

added TorBrowserTeam201809R component::applications/tor browser noscript owner::tbb-team priority::high reporter::tor-user-1234 resolution::fixed severity::normal status::closed tbb-8.0-issues tbb-backported tbb-regression type::defect version::sbws unspecified labels

This issue has been discovered on TOR Browser version 8.0a9 alpha channel.

Trac:
Username: tor-user-1234

Does that work with NoScript in an unmodified Firefox 60 ESR (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for some binaries to test)? Could you give us steps to reproduce as it seems you need to modify some Tor Browser settings to hit this bug? And I assume saving per-site permissions works in Tor Browser 7.5.6?

Trac:
Component: Core Tor to Applications/Tor Browser
Status: new to needs_information
Owner: N/A to tbb-team

From #27469 (moved):

After unchecking the "script" box under DEFAULT in NoScript's General options, closing Tor Browser and then restarting it, the "script" box is checked, as it was when Tor Browser (version 8.0) was first started. In general, it appears options are not save across sessions.

And this seems to work in vanilla Firefox.

Trac:
Keywords: N/A deleted, tbb-regression, tbb-8.0-issues added
Summary: NoScript plugin does not save per-site permissions when tor browser closes to NoScript plugin does not save per-site permissions/settings when tor browser closes
Cc: N/A to tor8888

#27504 (moved) is a duplicate.

Trac:
Cc: tor8888 to tor8888, mfD1TuzasD32GvaI3mh6
Status: needs_information to new

Trac:
Priority: Medium to High

Replying to tor-user-1234:

When I re-open the TOR Browser, any of the previously saved NoScript plugin per-site permissions are gone and I have to set all per-site permissions again. Actually, it's good as New Identity doesn't clear them now :(

Trac:
Username: reportUrl

It is possible to implement a modified security slider mechanism that would allow NoScript to retain per-site settings. But the question is whether it is actually desirable to do this, as saving per-site settings would (1) violate disk hygiene and (2) serve as a long-term fingerprinting vulnerability (at least, as long as NoScript is not first-party isolated).

Replying to arthuredelstein:

It is possible to implement a modified security slider mechanism that would allow NoScript to retain per-site settings. But the question is whether it is actually desirable to do this, as saving per-site settings would (1) violate disk hygiene and (2) serve as a long-term fingerprinting vulnerability (at least, as long as NoScript is not first-party isolated).

So, you are arguing that this is a feature of Tor Browser 8 and we should keep the status quo?

I think it should be possible to save NoScript preferences across sessions. After upgrading from 7.x where this seemed to be the case it is irritating to have to disable scripts each time on sites where you do not want scripts running. I understand that this can be used for fingerprinting, so perhaps the slider idea is the best, and the option is opt-in.

Is there a temporary workaround? Other addons I have installed (yes I am aware of the risks) keep settings across sessions.

Trac:
Username: donnm

Replying to gk:

Replying to arthuredelstein:

It is possible to implement a modified security slider mechanism that would allow NoScript to retain per-site settings. But the question is whether it is actually desirable to do this, as saving per-site settings would (1) violate disk hygiene and (2) serve as a long-term fingerprinting vulnerability (at least, as long as NoScript is not first-party isolated).

So, you are arguing that this is a feature of Tor Browser 8 and we should keep the status quo?

Well, feature is too strong a word because it happened more or less incidentally as a result of NoScript's new architecture. :) And given the current UI of NoScript, it's very confusing to users because it looks as though per-site settings in NoScript should persist.

But, yes, I am very hesitant to give users the means to persist their per-site settings, especially when the per-site settings are not first-party isolated. If a user decides to whitelist Google, then every website that embeds a Google ad can detect this. I am even worried about an opt-in solution because users often don't properly understand the downsides.

At the same time, I also sympathize with donnm's comment:9 that it is inconvenient to have to redo per-site settings each time Tor Browser is restarted.

Only some comments:

Replying to arthuredelstein:

But, yes, I am very hesitant to give users the means to persist their per-site settings, especially when the per-site settings are not first-party isolated. ABE in NoScript 5 was able to implement first-party-keyed policy. If a user decides to whitelist Google, then every website that embeds a Google ad can detect this. I am even worried about an opt-in solution because users often don't properly understand the downsides. It also had this "Block scripting in whitelisted subdocuments of non-whitelisted pages" setting, which is not first-party isolation/keying but related (and I think similar to the kind of problem decomposition used by uMatrix). I wonder how it's handled now. At the same time, I also sympathize with donnm's comment:9 that it is inconvenient to have to redo per-site settings each time Tor Browser is restarted. I use the highest level in torbutton slider and I don't care about persisting the per-site policy, I always keep the whitelist empty and only very seldom use temporary permissions which are revoked once done with the page Certainly "new identity" must also at least clear all temporary permissions. However, there were at least in NoScript 5 many other configuration knobs that applied globally and which I used to tighten with respect to vanilla TOr Browser (yes, I know that changed my profile). Maybe there should be a way to persist at least that kind of settings.

Trac:
Username: cypherpunks_reply

Below is a patch for review. It introduces a pref, "extensions.torbutton.noscript_persist" that is disabled by default. When enabled, it allows per-site settings to be persisted in NoScript. Note that, even with the pref enabled, if the user changes the security slider setting, all custom per-site settings are lost.

However, enabling this pref is dangerous in my opinion and should only be used with caution.

https://github.com/arthuredelstein/torbutton/commit/27175

Trac:
Keywords: N/A deleted, TorBrowserTeam201809R added
Status: new to needs_review

Okay, this works for me and the code looks good to me as well. I had to resolve some conflicts due to #27760 (moved) landing earlier but that should be fine.

Commit 461b828c70bb85501db99fdf077af71b69ef7e0a on master has the fix.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed
Keywords: N/A deleted, tbb-backport added

#27823 (moved) is a duplicate.

Trac:
Cc: tor8888, mfD1TuzasD32GvaI3mh6 to tor8888, mfD1TuzasD32GvaI3mh6, One, Sock

Resolved #28171 (moved) as a duplicate.

Trac:
Cc: tor8888, mfD1TuzasD32GvaI3mh6, One, Sock to tor8888, mfD1TuzasD32GvaI3mh6, One, Sock, Questor

That's commit d0adb5ad47e97e2143bac6595084a33e6355acb8 on maint-2.0 now and will make it into 8.0.5.

Trac:
Keywords: tbb-backport deleted, tbb-backported added

This issie back again in 8.0.6.

Trac:
Username: asherh4x
Version: N/A to sbws: unspecified

For those reading this ticket in the far future: go to about:config and set your extensions.torbutton.noscript_persist option. But be aware of the risks, too!