Torbutton/Noscript plugin settings ambiguous to user
Software: Tor Browser 3.5.1 The recent changes to torbutton/torbrowser leave some confusion to the user. Opening the Noscript Options menu, under embeddings, shows that no embedding type is being blocked (i.e. Flash/silverlight/java/other plugins).
Yet, the torbutton claims in documentation to be blocking all plugins. This may lead the user to conclusions that are false.
https://www.torproject.org/projects/torbrowser/design/#DesignRequirements "Disabling plugins Plugins have the ability to make arbitrary OS system calls and bypass proxy settings. This includes the ability to make UDP sockets and send arbitrary data independent of the browser proxy settings.
Torbutton disables plugins by using the @mozilla.org/plugin/host;1 service to mark the plugin tags as disabled. This block can be undone through both the Torbutton Security UI, and the Firefox Plugin Preferences.
If the user does enable plugins in this way, plugin-handled objects are still restricted from automatic load through Firefox's click-to-play preference plugins.click_to_play.
In addition, to reduce any unproxied activity by arbitrary plugins at load time, and to reduce the fingerprintability of the installed plugin list, we also patch the Firefox source code to prevent the load of any plugins except for Flash and Gnash. "
Essentially, the design document states that the user should only be able to enable flash, and through the torbutton UI. The noscript UI about embeddings is therefore confusing and redundant. This could cause the user to make false conclusions about the behavior of the browser, compromising their anonymity.
This is the basic problem in user interface design of having two places to change a setting, and it usually indicates a defect in design.