Opened 3 years ago

Closed 3 years ago

#3007 closed defect (not a bug)

NoScript configured to globally allow all scripts

Reported by: HG2G Owned by: erinn
Priority: critical Milestone:
Component: Tor bundles/installation Version:
Keywords: Cc:
Actual Points: Parent ID:
Points:

Description

Is the NoScript 'globally allow all scripts' an intentional configuration? If so I would suggest changing to not allowing scripts globally, if not for the obvious, then to prevent Google Analytics tracking:

When NoScipt is set to globally allow all scripts Google Analytics tracking is not blocked; see:
https://adblockplus.org/blog/the-wrong-way-to-deal-with-privacy-concerns
(especially this:) http://hackademix.net/2009/01/25/surrogate-scripts-vs-google-analytics/
https://adblockplus.org/forum/viewtopic.php?p=27886#p27886
http://www.unrest.ca/Net-Neutrality-and-The-Internet/google-analytics-opt-out-not-really

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by HG2G

  • Component changed from Tor Browser to Tor bundles/installation
  • Owner changed from mikeperry to erinn

comment:2 Changed 3 years ago by HG2G

Edit:

TBB version 2.2.24-1 alpha, sorry I forgot to mention that in my report!

comment:3 Changed 3 years ago by mikeperry

We're not sure that disabling scripts globally is a good default option for people. We're trying really hard to engineer a default private browsing setup that does not rely on filters or feature breakage, but we may need some browser muscle to help things along:

https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

Can you explain why you believe that this might not be possible? Ie, what is it specifically about Google Analytics that makes you think we can't deal with it by enhancing browser privacy in a general sense?

We provide NoScript mostly for the non-filter features it provides, such as click-to-play for media, webgl and plugins, XSS protection, remote font blockage, and so on. The ability to globally disable JS is also a bonus for the malware and exploit-laden corners of the web, but having JS disabled (or worse, filtered) by default doesn't seem very intuitive for new Tor users.

comment:4 Changed 3 years ago by mikeperry

  • Resolution set to not a bug
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.