NoScript is not configured to "Forbid "Web Bugs"" on "Untrusted" web sites
As the title says, using most current TBB with Tor v0.2.2.32 Noscript is not configured to block web bugs under the "Advanced > Untrusted" tab. That seems unwise ...
Trac:
Username: joyton
Activity
By default we try to use NoScript in a minimal sense, because we don't believe in a filter-based approach to security. We never enabled this particular option because what the hell is a "Web Bug"? I imagine it is a 0x0 hidden pixel element. However, there could also be a broader definition that covers any number of items. For example, if everyone in the world blocked "Web bugs", those using them to undermine privacy would simply move to a new technique (such as empty CSS style sheets, or XMLHTTPRequest pings, or ???). Then, NoScript would have to block that. The leads to an escalating scenario where more and more web content types get blocked.
Sure, the "Block Web Bugs" checkbox probably doesn't damage much on the web now, but clicking the checkbox commits us to the fallout of whatever arms race ensues for it that the NoScript guy has to fight.
Instead, we have opted to prevent third party content elements from being able to transmit linkabile identifiers in the first place. See: https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design
Also, you may want to track #3812 (closed) if these decisions interest you.
I like your other bugs though, very glad to have the help!
-
Also, as the config of our bundles is technically Erinn's domain, I'll leave it to her to make the call to close this one.
joyton: If you've reviewed the NoScript web bug feature and/or otherwise vehemently disagree, we'd still love to hear it.
Trac:
Owner: mikeperry to erinn
Status: new to assigned
Component: Tor Browser to Tor bundles/installation
