NoScript remembers settings on browser quit
Despite having "extensions.torbutton.noscript_persist" set to "false", NoScript still remembers trusted sites after quitting the browser. I'm using safest security settings on Debian 10.
This is a big privacy risk because I accidentally created a unique ruleset this way.
Trac:
Username: kromek
Activity
Replying to kromek:
UPDATE: It seems to reproduce the issue, you have to allow restrictions globally and restart the browser. It will still have disabled restrictions, and from now on, even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.
What do you mean by "allow restrictions globally"? Could you give us complete steps to reproduce this issue?
Trac:
Status: new to needs_information
Replying to gk:
Replying to kromek:
UPDATE: It seems to reproduce the issue, you have to allow restrictions globally and restart the browser. It will still have disabled restrictions, and from now on, even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.
What do you mean by "allow restrictions globally"? Could you give us complete steps to reproduce this issue? Sorry, I meant like this:
- Disable restrictions globally (the S! button)
- restart the browser
- restrictions will still be disabled globally (they shouldn't be), so undo that manually
- go to any website and make it TRUSTED (permanently, not temp.)
- restart the browser and visit the website again: it will still be trusted and JS enabled for it
Trac:
Username: kromek-
Closing #32337 (moved) as duplicate.
Trac:
Version: Tor: 0.4.2.3-alpha to N/A
Component: Applications to Applications/Tor Browser -
Replying to sysrqb:
Did this only begin in Tor Browser 9? Did you upgrade from Tor Browser 8.5 or is this a new installation? Yes, it began in Tor Browser 9. Previously the issue was non-existent. It remains a bug in 9.0.1. It happens in new "installation" which in my case is unpacking the TBB on Debian.
Trac:
Username: kromek kromec said:
even if you enable restrictions again, it will start remembering ruleset of websites you set to TRUSTED.
Tor Browser remembers TRUSTED websites regardless whether disable restrictions globally was set before. This behaviour is reproducible on a clean Tor Browser install:
- Launch Tor Browser and visit any website
- Set the website to TRUSTED
- Close and restart Tor Browser and visit the website again, the website is still set to trusted. The setting persists through reboot.
The same is true for giving permissions in NoScript's Options.
- Launch Tor Browser on safest level
- Click the NoScript icon and in the left menu, go to Options
- General --> Preset customization, check one or more item (scripts, media, whatever)
- Close and restart Tor Browser, the permissions are preserved. This is not reflected in the security settings or shield icon at all, both still show "safest". This will also survive reboot.
Tor Browser will reset itself after changing the security level repeatedly though (true for both scenarios).
Same as kromec, extensions.torbutton.noscript_persist is set to false, Override Tor Browser's Security Level preset is not checked.
OS is Debian bullseye/sid
This is a bug, and it should be fixed, but the NoScript configuration settings are hidden in Tor Browser for a reason. NoScript's settings should only be changes through the security slider.
Of course, some people change the settings manually, and when that leaks information the problem should be fixed.
Trac:
Status: needs_information to new
Priority: High to Medium
Keywords: TorBrowserTeam202002 deleted, TorBrowserTeam202003 added-
Can someone double-check whether that is still an issue with the latest NoScript (>= 11.0.30)? This bug might have been fixed with #29957 (moved).
Trac:
Status: new to needs_information mentioned in issue #32337 (moved)
