Opened 3 weeks ago

Closed 2 weeks ago

#30730 closed defect (wontfix)

Can't access right click menu for noscript w/o readding icon

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I posted this previously but because a different user of this account stirred the pot the ticket got closed. Please be civil in the comments, because apparently a slapfight in the comments is grounds to ignore legit technical discussions.

I'd like to point out it's unclear whether re-adding custom icons reduces anonymity. (Either through the usual weird fingerprinting exploits - can someone programmatically detect url bar length? That's an open question.

Forcing us to add the NoScript icon back (and some people may put said icon in different places) is risky. Especially since people who are advanced enough to use safest probably have increased risks if fingerprinted or deanonymized.

Ex: if someone shares a screenshot it's something that makes them unique. (Ex: user collects something via Tor, shares with reporter, reporter shares screenshot, oppressive government notices both the leaked screenshots and the user's TBB setup have the icon placed to the left of the onion, whereas the other suspects either have no icon or have it in a different spot)

More importantly, if you right click then click "noscript" that menu only comes up if the button is in the toolbar. So you *have* to add the icon to use NS functionality.

Anyone who visits a social website may not want to use the "safer" security slider.

For example I maintain an anonymous social media account on a site with many external links - I do *not* trust every random thing linked to on the social media site, and strongly prefer to leave my browser on "safest" but allow only that site's JS, not everything it links to. I suspect there are many similar use cases where 1 site is trusted, but not the sites that may be linked to.

If the developers are deadset on removing the icon, I think at least we should be able to access that functionality via the right click menu as a compromise.

I think it's reasonable to ask that either the control be present in the toolbar for safest users, or that the right click context menu work for advanced users if clutter is the concern.

(Test for yourself on this page. Right click, then click "noscript". If there is no button in your toolbar, nothing appears)

Child Tickets

Change History (6)

comment:1 Changed 3 weeks ago by cypherpunks

Sorry, should have tagged component as TBB

comment:2 Changed 3 weeks ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

Yes, the NoScript icon in the context menu is a bug which we did not get fixed for 8.5. Removing it is tracked in #30730.

Regarding your anonymity concerns: well, as far as we know there is no way to detect the NoScript icon presence on the toolbar from websites. Remember as well that we still have a lot of users that have the search bar visible on their toolbar and probably a lot of other old things due to updating from older Tor Browser versions (even before esr52-based ones). Thus, the length of the urlbar is not helping here.

Yes, if you take screenshots you have to be careful and that's not in particular related to toolbar layout. It's OS details that leak e.g. or potentially a different theme or your toolbar layout or...
Dealing with NoScript settings is dangerous for a number of reasons (see: e.g. #26517) and not recommended unless you know what you are doing. This holds as well for making exceptions to the default security settings because that comes with a risk for fingerprinting users might underestimate (due to the pattern of whitelisted sites that are whitelisted for the whole browser session). I think if you are confident handling that risk dealing with re-adding the NoScript button to the toolbar (and potentially removing it if you really need to post a screenshot with your toolbar that already leaks details because it's a toolbar on a particular OS etc.) is in scope as well.

Thus, I am not convinced doing the right-click workaround you suggested. We should rather fix #30730 and work on #30570.

comment:3 Changed 3 weeks ago by cyberpunks

Yes, the NoScript icon in the context menu is a bug which we did not get fixed for 8.5. Removing it is tracked in #30730.

For clarity: Same cypherpunk as op here

I'm not sure I follow, isn't #30730 this this thread?

I understand that JS is a complex thing and maybe we should make it an expert setting one must opt into bringing up in the menu. I agree hiding complexity but allowing experts to customize is a good design pattern.

Based on what you say, I'd agree it's not a huge deal if ppl add the icon in short term. (I'd love to see some kind of "factory reset" option, since at least in macOS it's a bit hard and takes some terminal doings to completely reset tor's appearance to default but that's a separate issue sorry to wander)

In long term, I'd prefer to be able to use the context menu rather than modify my browser.

(Right click -> NoScript -> whitelist specifics)

Not only for the admittedly niche issue of screenshots if custom icon added, but at higher level I think it's good to train users not to modify tor. I've seen troubling numbers of people post on places like Reddit they want to install extensions to "increase" their privacy and need to be talked out of it. Since not everyone understands diff between adding buttons and adding add ons might be a simple way to reinforce safe behavior.

Anyways apologies if not being clear, English not first language: I think that if no icon present, enabling the right click menu should be allowed. I recognize it is advanced, but for a site like Reddit (admittedly an edge case), you need some JS to run the site, but you don't want everything you visit out of Reddit to run JS.

Anyways, thanks for listening, have a good day

comment:4 in reply to:  3 Changed 3 weeks ago by gk

Replying to cyberpunks:

Yes, the NoScript icon in the context menu is a bug which we did not get fixed for 8.5. Removing it is tracked in #30730.

For clarity: Same cypherpunk as op here

I'm not sure I follow, isn't #30730 this this thread?

Ugh, I meant #29886, sorry.

comment:5 Changed 3 weeks ago by cyberpunks

Thanks for the clarification

comment:6 in reply to:  3 Changed 2 weeks ago by gk

Resolution: wontfix
Status: newclosed

Replying to cyberpunks:

[snip]

Based on what you say, I'd agree it's not a huge deal if ppl add the icon in short term. (I'd love to see some kind of "factory reset" option, since at least in macOS it's a bit hard and takes some terminal doings to completely reset tor's appearance to default but that's a separate issue sorry to wander)

In long term, I'd prefer to be able to use the context menu rather than modify my browser.

I totally agree with you that those that don't have the icon but need it can add it back in the short term while that it is not a long-term solution to modify the browser in the long term. Using the context menu as you describe would be one option. However, that would get users back to NoScript's UI which can be confusing. We think we can do something better with #30570. Thus, I close this ticket as WONTFIX in favor of our plan.

Note: See TracTickets for help on using tickets.