Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #31798

Closed (moved)
Open
Opened Sep 19, 2019 by adrelanos@adrelanos

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser

Noscript, file

{73a6fe31-595d-460b-a920-fcc0f8843232}

full path

tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser-extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232}

when extracted contains file

common/Policy.js

which contains a list of websites.

addons.mozilla.org
afx.ms ajax.aspnetcdn.com
ajax.googleapis.com bootstrapcdn.com
code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com
hotmail.com live.com live.net
maps.googleapis.com mozilla.net
netflix.com nflxext.com nflximg.com nflxvideo.net
noscript.net
outlook.com passport.com passport.net passportimages.com
paypal.com paypalobjects.com
securecode.com securesuite.net sfx.ms tinymce.cachefly.net
wlxrs.com
yahoo.com yahooapis.com
yimg.com youtube.com ytimg.com

Related source code:

  function defaultOptions() {
    return {
      sites:{
        trusted

File

legacy/defaults.js

is similar.

Under conditions which are not clear to be yet how to reproduce this can lead to white listing these websites in noscript even though Tor Browser security slider is set to maximum.

It's arguable if addons.mozilla.org should be whitelisted by default (I won't argue about it) but for sure netflix, paypal, youtube and others don't deserve special treatment by Tor Browser. Obvious tracking and security risk.

Looks like pressing the reset button in noscript also results in setting these websites to trusted by default in noscript.

Therefore, please kindly consider to remove that whitelist from noscript.

Additional suggestions:

  • Have a unit test that greps the source code for (these) websites so these aren't reintroduced in later (noscript) add-on versions.
  • Report to upstream (noscript).

Related:

https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#31798