GitLab

A large number of our users seem to be confused about the state of JavaScript in TBB. We leave it enabled for usability reasons, but ship with NoScript in the toolbar to make it easy to disable. This might not be enough for people who start TBB with incorrect assumptions/word-of-mouth rumors about its defaults.

Roger suggested a possible way forward is to create a Security Slider on the Tor Launcher first launch page and the Torbutton settings that allows people to trade off between "Most Usable" on one end, and "Most Secure" on the other end. We want to minimize the number of positions on this slider to avoid fingerprinting, but a small number of slider positions (3-4) that set several settings underneath shouldn't be too bad:

• Position 0: Current TBB defaults (Most usable)
• Position 1: Javascript is disabled for all non-https URLS
• Position 2: HTML5 media and fonts click-to-play/disabled
• Position 3: All scripts and media are disabled (Most secure)

We might even want to combine positions 1+2. Unclear.