[Whonix-devel] #31798 [Applications/Tor Browser]: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 19 09:59:14 CEST 2019
#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
-----------------------+------------------------------------------
Reporter: adrelanos | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Component: Applications/Tor Browser
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------+------------------------------------------
Noscript, file
{{{
{73a6fe31-595d-460b-a920-fcc0f8843232}
}}}
full path
{{{
tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser-
extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232}
}}}
when extracted contains file
{{{
common/Policy.js
}}}
which contains a list of websites.
{{{
addons.mozilla.org
afx.ms ajax.aspnetcdn.com
ajax.googleapis.com bootstrapcdn.com
code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com
hotmail.com live.com live.net
maps.googleapis.com mozilla.net
netflix.com nflxext.com nflximg.com nflxvideo.net
noscript.net
outlook.com passport.com passport.net passportimages.com
paypal.com paypalobjects.com
securecode.com securesuite.net sfx.ms tinymce.cachefly.net
wlxrs.com
yahoo.com yahooapis.com
yimg.com youtube.com ytimg.com
}}}
Related source code:
{{{
function defaultOptions() {
return {
sites:{
trusted
}}}
File
{{{
legacy/defaults.js
}}}
is similar.
Under [https://forums.whonix.org/t/noscript-with-security-slider-at-
safest-permits-around-30-sites/8160 conditions] which are not clear to be
yet how to reproduce this can lead to white listing these websites in
noscript even though Tor Browser security slider is set to maximum.
It's arguable if addons.mozilla.org should be whitelisted by default (I
won't argue about it) but for sure netflix, paypal, youtube and others
don't deserve special treatment by Tor Browser. Obvious tracking and
security risk.
Looks like pressing the reset button in noscript also results in setting
these websites to trusted by default in noscript.
Therefore, please kindly consider to remove that whitelist from noscript.
Additional suggestions:
* Have a unit test that greps the source code for (these) websites so
these aren't reintroduced in later (noscript) add-on versions.
* Report to upstream (noscript).
Related:
https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-
zendcdn-net/
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31798>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the Whonix-devel
mailing list