[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] problem reinstalling NoScript



On 10/4/2016 11:50 PM, krishna e bera wrote:
On 04/10/16 10:03 PM, Joe Btfsplk wrote:
In TBB 6.0.5 (Win), NoScript 2.9.0.14 it seemed to be misbehaving.
It wasn't showing many trackers in the icon drop list, on sites where
there would be plenty.
I UNchecked "Allow Scripts Globally."

I uninstalled it - closed TBB.  Removed  NoScript entries in pref.js &
restarted TBB, then reinstalled fresh NS copy - 2 separate times.
Didn't fix it.
Without seeing whatever was left in your TBB folder from previous
self-updates and from other add-ons or from data saved during sessions,
it is difficult to figure out what is going on.

I gave up trying to manage separate addons and settings in TBB long ago
because the interactions between parts is complex and more importantly
every bug that came up could be fixed by
removing the whole TBB directory and starting from scratch.
I see what it is now, that was allowing all 3rd party scripts, while scripts for the base domain were blocked. It's a NoScript setting that Tor devs put in the \Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\preference\extension-overrides.js file.

They enable the Pref "NoScript.CascadePermissions" - that corresponds to Options > Advanced > Trusted - *"Cascade top document's permissions to 3rd party scripts."*
In NoScript, it's disabled by default.
Note: The section title for these options is "Additional permissions for TRUSTED sites."

If you have scripts blocked globally, or just one base domain has scripts *blocked*, AND the option "Cascade...permissions..." is *checked*, scripts from the base domain are blocked but it allows ALL 3rd party scripts, even though the base domain is still blocked.

I doubt this is how most users expect this to work. I'm not sure Tor devs knew it works this way, when the base domain is blocked.
I hope they didn't know & didn't do this intentionally.

Even though the section says the settings are for "trusted" sites. I think this is a bug of sorts. Off hand, I can't think of a reason to block base domain scripts but allow all 3rd party. The main site probably won't work anyway.

If you *block* the base domain, then it's not trusted, in this context.
In that case, all 3rd party scripts below it should also be blocked. Seems logical that Cascading the permissions should be dependent on base domain being allowed (trusted). Lots of prefs are dependent on other conditions being met, or else the pref is inactive.


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk