[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3975 [Tor Browser]: NoScript is not configured to "Forbid "Web Bugs"" on "Untrusted" web sites
#3975: NoScript is not configured to "Forbid "Web Bugs"" on "Untrusted" web sites
-------------------------+--------------------------------------------------
Reporter: joyton | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by mikeperry):
By default we try to use NoScript in a minimal sense, because we don't
believe in a filter-based approach to security. We never enabled this
particular option because what the hell is a "Web Bug"? I imagine it is a
0x0 hidden pixel element. However, there could also be a broader
definition that covers any number of items. For example, if everyone in
the world blocked "Web bugs", those using them to undermine privacy would
simply move to a new technique (such as empty CSS style sheets, or
XMLHTTPRequest pings, or ???). Then, NoScript would have to block that.
The leads to an escalating scenario where more and more web content types
get blocked.
Sure, the "Block Web Bugs" checkbox probably doesn't damage much on the
web now, but
clicking the checkbox commits us to the fallout of whatever arms race
ensues for it that the NoScript guy has to fight.
Instead, we have opted to prevent third party content elements from being
able to transmit linkabile identifiers in the first place. See:
https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-
track-vs-real-privacy-design
Also, you may want to track #3812 if these decisions interest you.
I like your other bugs though, very glad to have the help!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3975#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs