GitLab

Noscript, file

{73a6fe31-595d-460b-a920-fcc0f8843232}

full path

tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser-extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232}

when extracted contains file

common/Policy.js

which contains a list of websites.

addons.mozilla.org
afx.ms ajax.aspnetcdn.com
ajax.googleapis.com bootstrapcdn.com
code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com
hotmail.com live.com live.net
maps.googleapis.com mozilla.net
netflix.com nflxext.com nflximg.com nflxvideo.net
noscript.net
outlook.com passport.com passport.net passportimages.com
paypal.com paypalobjects.com
securecode.com securesuite.net sfx.ms tinymce.cachefly.net
wlxrs.com
yahoo.com yahooapis.com
yimg.com youtube.com ytimg.com

Related source code:

  function defaultOptions() {
    return {
      sites:{
        trusted

File

legacy/defaults.js

is similar.

Under conditions which are not clear to be yet how to reproduce this can lead to white listing these websites in noscript even though Tor Browser security slider is set to maximum.

It's arguable if addons.mozilla.org should be whitelisted by default (I won't argue about it) but for sure netflix, paypal, youtube and others don't deserve special treatment by Tor Browser. Obvious tracking and security risk.

Looks like pressing the reset button in noscript also results in setting these websites to trusted by default in noscript.

Therefore, please kindly consider to remove that whitelist from noscript.

Additional suggestions:

• Have a unit test that greps the source code for (these) websites so these aren't reintroduced in later (noscript) add-on versions.
• Report to upstream (noscript).

Related:

https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/