Medium-High security enables HTTPS javascript despite noscript settings
- Set the security slider to "Medium-High"
- Using the noscript icon in the toolbar, turn on "Forbid Scripts Globally"
- Visit https://check.torproject.org/ - note "JavaScript is enabled"
If the slider is "High" or "Medium-Low", noscript works as expected. The "Javascript for HTTPS-only" behavior on Medium-High overrides the user's noscript settings.
I think the noscript setting should work independently from the security slider. But at the very least, it's a bug to have noscript saying javascript is blocked when it's actually enabled for all HTTPS.