Opened 15 months ago

Closed 11 months ago

Last modified 11 months ago

#27881 closed defect (not a bug)

NoScript initial configuration bug?

Reported by: simplestuf Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: simple Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm using Tor Browser 8.0.1 (based on Mozilla Firefox 60.2.0esr) (64-bit), on OSX Yosemite 10.10.5.

When I open Tor Browser, go to the Add-ons Manager, and then open NoScript preferences; the starting configuration under the General Tab is *always*:

To have *everything* enabled for the "DEFAULT" Preset customization (script, object, media, frame, font, webgl, fetch, other).
To have *everything* enabled for the "TRUSTED" Preset customization.
To have only media, frame and font enabled for the "UNTRUSTED" Preset customization.
The per-site permissions list is also empty.

After pressing the 'Reset' button:

I have frame, fetch and other enabled under "DEFAULT"
I have everything enabled under "TRUSTED"
I have nothing enabled under "UNTRUSTED"
I have a whole bunch of per-site permissions being included.

Regardless of whether Reset is pressed, or whether I adjust the settings myself, whenever Tor Browser is reopened, the same insecure initial configuration always reappears.

Only after permanently disabling the file download warning, I am able to export a NoScript configuration, and Import the generated file again after startup to return NoScript to my preferred settings. As always, the starting configuration after Tor Browser restart is the insecure state described above.

Child Tickets

Change History (8)

comment:1 Changed 15 months ago by gk

Component: - Select a componentApplications/Tor Browser

Moving component

comment:2 Changed 11 months ago by gk

Status: newneeds_information

What exactly is the bug report about here? (I am confused and it seems to me there is more than one issue complained about in the description.)

comment:3 Changed 11 months ago by gk

Cc: simple added

#29014 is a duplicate.

comment:4 in reply to:  2 ; Changed 11 months ago by simple

Replying to gk:

What exactly is the bug report about here? (I am confused and it seems to me there is more than one issue complained about in the description.)

When tor browser is opened, no sites are listed as 'Untrusted' and 'Default' sites (which is every site) have everything allowed. Hence Noscript is completely useless unless one bothers to look into the settings and fix things up before starting to browse.

comment:5 in reply to:  4 ; Changed 11 months ago by gk

Resolution: not a bug
Status: needs_informationclosed

Replying to simple:

Replying to gk:

What exactly is the bug report about here? (I am confused and it seems to me there is more than one issue complained about in the description.)

When tor browser is opened, no sites are listed as 'Untrusted' and 'Default' sites (which is every site) have everything allowed. Hence Noscript is completely useless unless one bothers to look into the settings and fix things up before starting to browse.

That's not a bug but expected. We use NoScript to get the properties of our "safer" and "safest" security mode we want. On the level "standard" you should get the most usable browsing experience, which means the least amount of website breakage due to disabled features we can provide.

comment:6 in reply to:  5 ; Changed 11 months ago by simple

Replying to gk:

Replying to simple:

Replying to gk:

What exactly is the bug report about here? (I am confused and it seems to me there is more than one issue complained about in the description.)

When tor browser is opened, no sites are listed as 'Untrusted' and 'Default' sites (which is every site) have everything allowed. Hence Noscript is completely useless unless one bothers to look into the settings and fix things up before starting to browse.

That's not a bug but expected. We use NoScript to get the properties of our "safer" and "safest" security mode we want. On the level "standard" you should get the most usable browsing experience, which means the least amount of website breakage due to disabled features we can provide.

There is no 'safer', 'safest' or 'standard' security modes that I can see within the noscript settings, or within Tor Browser Preferences under 'General' or 'Privacy and Security'. If your 'standard' security mode does exist somewhere, it does not correspond with noscript's default values as obtained by pressing the 'reset' button in noscript preferences.

Also, this is a change that took place under a fairly recent Tor Browser update: Tor Browser didn't previously start in this insecure noscript initial state.

Last edited 11 months ago by simple (previous) (diff)

comment:7 in reply to:  6 ; Changed 11 months ago by gk

Replying to simple:

Replying to gk:

Replying to simple:

Replying to gk:

What exactly is the bug report about here? (I am confused and it seems to me there is more than one issue complained about in the description.)

When tor browser is opened, no sites are listed as 'Untrusted' and 'Default' sites (which is every site) have everything allowed. Hence Noscript is completely useless unless one bothers to look into the settings and fix things up before starting to browse.

That's not a bug but expected. We use NoScript to get the properties of our "safer" and "safest" security mode we want. On the level "standard" you should get the most usable browsing experience, which means the least amount of website breakage due to disabled features we can provide.

There is no 'safer', 'safest' or 'standard' security modes that I can see within the noscript settings, or within Tor Browser Preferences under 'General' or 'Privacy and Security'. If your 'standard' security mode does exist somewhere, it does not correspond with noscript's default values as obtained by pressing the 'reset' button in noscript preferences.

You can find the security slider behind the onion toolbar item -> Security Settings... We are currently in the process of redesigning that part to make it both available on the toolbar and the Firefox preferences, see #25658.

And, yes, the intention is not to emulate or use NoScript's default settings.

Also, this is a change that took place under a fairly recent Tor Browser update: Tor Browser didn't previously start in this insecure noscript initial state.

It always started in a non-default mode, e.g. with scripts enabled etc. The particular way of the initial state might have changed with the NoScript WebExtensions version but, as I said, that's not relevant for us as we need NoScript mainly for managaing our "safer" and "safest" modes.

comment:8 in reply to:  7 Changed 11 months ago by simple

There is no 'safer', 'safest' or 'standard' security modes that I can see within the noscript settings, or within Tor Browser Preferences under 'General' or 'Privacy and Security'. If your 'standard' security mode does exist somewhere, it does not correspond with noscript's default values as obtained by pressing the 'reset' button in noscript preferences.

You can find the security slider behind the onion toolbar item -> Security Settings... We are currently in the process of redesigning that part to make it both available on the toolbar and the Firefox preferences, see #25658.

And, yes, the intention is not to emulate or use NoScript's default settings.

Thanks for the info.

Also, this is a change that took place under a fairly recent Tor Browser update: Tor Browser didn't previously start in this insecure noscript initial state.

It always started in a non-default mode, e.g. with scripts enabled etc. The particular way of the initial state might have changed with the NoScript WebExtensions version but, as I said, that's not relevant for us as we need NoScript mainly for managaing our "safer" and "safest" modes.

Previously I could trust Tor Browser to have noscript active from the outset, and I think this would be everyone's expectation. Putting the browser in an insecure default state where noscript misleadingly does absolutely nothing is a bad decision. If anyone was using the browser to do anything that actually required some degree of privacy or security, the update discussed above would have seriously compromised them.

Note: See TracTickets for help on using tickets.