Opened 13 months ago

Last modified 13 months ago

#31798 new defect

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Reported by: adrelanos Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: whonix-devel@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Noscript, file


full path


when extracted contains file


which contains a list of websites.

Related source code:

  function defaultOptions() {
    return {



is similar.

Under conditions which are not clear to be yet how to reproduce this can lead to white listing these websites in noscript even though Tor Browser security slider is set to maximum.

It's arguable if should be whitelisted by default (I won't argue about it) but for sure netflix, paypal, youtube and others don't deserve special treatment by Tor Browser. Obvious tracking and security risk.

Looks like pressing the reset button in noscript also results in setting these websites to trusted by default in noscript.

Therefore, please kindly consider to remove that whitelist from noscript.

Additional suggestions:

  • Have a unit test that greps the source code for (these) websites so these aren't reintroduced in later (noscript) add-on versions.
  • Report to upstream (noscript).


Child Tickets

Change History (6)

comment:1 Changed 13 months ago by cypherpunks

you messed with noscript; now you're fckd?

comment:2 Changed 13 months ago by gk

We won't consider this unless we ship an own version of NoScript which is currently not planned for the near future. We might even think about integrating just the security-settings related feature in the browser itself. Not sure yet. Meanwhile it would be helpful to understand why those issues only happen in Whonix so far and get some steps to reproduce.

We deliberately took the NoScript button off the toolbar to make it harder for users to shoot themselves into the foot. Not sure what Whonix does but you it's highly recommended to do the same.

comment:3 Changed 13 months ago by adrelanos

noscript [feature request] environment variable to clear default whitelist

Maybe someone could submit a patch to noscript?

comment:4 Changed 13 months ago by toholdaquill

The use case for enabling per-site permissions via NoScript in Tor Browser is as follows.

Let's say you visit You want to enable and, but not Using the Tor security slider, this level of fine-grained permissions is not possible.

comment:5 in reply to:  3 Changed 13 months ago by adrelanos

Replying to adrelanos:

noscript [feature request] environment variable to clear default whitelist

Got answer:

Sorry but there is currently no way for a WebExtension to read environment variables.

Replying to gk:

Meanwhile it would be helpful to understand why those issues only happen in Whonix so far and get some steps to reproduce.

It's not 100% reproducible yet.

I've been using Tor Browser 8.5.5. I've enabled git version control for the Tor Browser folder so I can easily simulate a first start of Tor Browser using git clean -dff ; git reset --hard ; git status.

On Debian buster.

Create folder /usr/share/homepage/whonix-welcome-page.

sudo mkdir -p /usr/share/homepage/whonix-welcome-page

Open file /usr/share/homepage/whonix-welcome-page/whonix.html with root rights.

sudoedit /usr/share/homepage/whonix-welcome-page/whonix.html


<!DOCTYPE html>


Start Tor Browser.

TOR_NO_DISPLAY_NETWORK_SETTINGS=1 TOR_SKIP_LAUNCH=1 ./start-tor-browser.desktop /usr/share/homepage/whonix-welcome-page/whonix.html

Tor Browser menu -> addons -> noscript -> preferences -> per site permissions

You'll see noscript's default permissive websites enabled.

What I can say with more certainty what helps to avoid triggering this bug is:

  • not using a local browser start page
  • not passing a local browser start page as command line parameter
  • not setting environment variable TOR_DEFAULT_HOMEPAGE

Previously in Whonix I managed to nail down setting TOR_SKIP_CONTROLPORTTEST=1 to trigger the bug vs unset TOR_SKIP_CONTROLPORTTEST to avoid the bug.

Too many environment variables causing this?

Could be a race condition in noscript?

comment:6 Changed 13 months ago by cypherpunks

Possibly related to #31580.

It's also worth noting that xss/Exceptions.js contains exceptions for some websites like youtube too. lib/restricted.js looks like it contains exceptions for a few mozilla domains and It links to

Note: See TracTickets for help on using tickets.