Cascading of permissions does not seem to work properly in Tor Browser 8
On level "safer" of our security slider we want to prevent executing JavaScript if the URL bar domain is loaded over HTTP. That means even if embedded content is loaded over HTTPS it's not allowed to load and execute JavaScript that way. We used the cascadePermissions
and the globalHttpsWhitelist
prefs for that in the XPCOM NoScript.
This mechanism seems to be broken as e.g. HTTPS JavaScript can get loaded in a HTTP site context (as an example take http://www.worldstarhiphop.com/featured/131305).
This got noted on our blog: https://blog.torproject.org/comment/278987#comment-278987.