Opened 8 years ago

Closed 8 years ago

#3975 closed defect (not a bug)

NoScript is not configured to "Forbid "Web Bugs"" on "Untrusted" web sites

Reported by: joyton Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: jcrimby@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As the title says, using most current TBB with Tor v0.2.2.32 Noscript is not configured to block web bugs under the "Advanced > Untrusted" tab. That seems unwise ...

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by mikeperry

By default we try to use NoScript in a minimal sense, because we don't believe in a filter-based approach to security. We never enabled this particular option because what the hell is a "Web Bug"? I imagine it is a 0x0 hidden pixel element. However, there could also be a broader definition that covers any number of items. For example, if everyone in the world blocked "Web bugs", those using them to undermine privacy would simply move to a new technique (such as empty CSS style sheets, or XMLHTTPRequest pings, or ???). Then, NoScript would have to block that. The leads to an escalating scenario where more and more web content types get blocked.

Sure, the "Block Web Bugs" checkbox probably doesn't damage much on the web now, but
clicking the checkbox commits us to the fallout of whatever arms race ensues for it that the NoScript guy has to fight.

Instead, we have opted to prevent third party content elements from being able to transmit linkabile identifiers in the first place. See:
https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

Also, you may want to track #3812 if these decisions interest you.

I like your other bugs though, very glad to have the help!

comment:2 Changed 8 years ago by mikeperry

Component: Tor BrowserTor bundles/installation
Owner: changed from mikeperry to erinn
Status: newassigned

Also, as the config of our bundles is technically Erinn's domain, I'll leave it to her to make the call to close this one.

joyton: If you've reviewed the NoScript web bug feature and/or otherwise vehemently disagree, we'd still love to hear it.

comment:3 Changed 8 years ago by joyton

Thanks Mike. That makes perfect sense. Sometimes us laypersons need people like the kinds Tor folks to explain these issues to us. I'm very pleased all of you are so kind.

comment:4 Changed 8 years ago by blooberr

Feature has been now removed from NoScript with version 2.2.4rc1:

From the change log:

  • Removed "Forbid Web Bugs", which cannot be reliably enforced anymore because of speculative parsing

comment:5 Changed 8 years ago by rransom

Resolution: not a bug
Status: assignedclosed
Note: See TracTickets for help on using tickets.