Tor Browser 8 enables JS in local files even when JS is disabled by default
Tor Browser 8.0 enables JS when opening local files, even when Javascript is disabled by default. For example, the following test file:
Page with JSwould not display the message in version 7.5 or older, when NoScript is set to "disable scripts globally", but in 8.0 the script will run and display the message. The only way to avoid this behavior seems to be setting javascript.enabled = false in about:config, but this disables Javascript entirely.
This potentially allows to track users who saved some web pages with tracking JS code to review locally later on, and then opened them in TB, thinking that, since they set JS to be disabled by default in their browser, this will also hold true for any local files. Especially considering the fact, that this is how it used to work until now.
Trac:
Username: pf.team