Joe:
Many of these settings aren't brand new (some are fairly new), but I'm
not sure how some of these settings are actually used in NoScript.
If they are used "as is," or if settings in one file (say, defaults.js)
interacts w/ or is overridden by other NS files. Has anyone seen
official explanations how these sites shown as default or trusted
actually work in TBB?
All of these are from TBB 8.4, noscript 10.2.
To see the files / settings, you have to copy or extract the noscript
.xpi file to a different location (has an alpha-numeric name:
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi, from
profile.default/browser-extension-data.
These are from the NS /legacy/defaults.js file:
"mandatory": "[System+Principal] about:about:addons about:blocked
about:certerror about:config about:crashes about:feeds about:home
about:memory about:neterror about:plugins about:preferences
about:privatebrowsing about:sessionrestore about:srcdoc about:support
about:tabcrashed blob: chrome: mediasource: moz-extension:
moz-safe-about: resource:",
"default":"about:blank about:pocket-saved about:pocket-signup
addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com
bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com hotmail.com live.com live.net
maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com
nflxvideo.net noscript.net outlook.com passport.com passport.net
passportimages.com paypal.com paypalobjects.com securecode.com
securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com
yahooapis.com yimg.com youtube.com ytimg.com",
Note sites like google.com, googlevideo.com, hotmail.com,
maps.googleapis.com, paypal, yahoo & yahooapis.com and many others.
Are the legacy/default.js sites applied "as is" in TBB? Where is that
explained?
If they're allowed as shown, for example, I wouldn't want anything for
yahoo & their horrible security record, always enabled by default.
The following are from the noscript /common/Policy.js file. I only
scratched the surface:
function defaultOptions() {
return {
sites:{
trusted: `addons.mozilla.org
afx.ms ajax.aspnetcdn.com
ajax.googleapis.com bootstrapcdn.com
code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com
hotmail.com live.com live.net
maps.googleapis.com mozilla.net
netflix.com nflxext.com nflximg.com nflxvideo.net
noscript.net
outlook.com passport.com passport.net passportimages.com
paypal.com paypalobjects.com
securecode.com securesuite.net sfx.ms tinymce.cachefly.net
wlxrs.com
yahoo.com yahooapis.com
yimg.com youtube.com
ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
untrusted: [],
custom: {},
},
DEFAULT: new Permissions(["frame", "fetch", "other"]),
TRUSTED: new Permissions(Permissions.ALL),
UNTRUSTED: new Permissions(),
enforced: true,
autoAllowTop: false,
};
}
Again, are these used "as is," or is there a reason they're shown here
as (always) trusted?
Many users wouldn't want some of them Trusted by default - maybe never.
No worries, Tor Browser does not trust those sites. I think your
confusion above stems for a misunderstanding: we use NoScript for a very
specific purpose, which is for helping us with our Security Slider,
while its default use in any other browser, say Firefox, is a quite
different one (giving you protections against scripts running etc.).
So, with that in mind looking at the NoScript source alone for
interfering what it does in Tor Browser is not sufficient. You need at
least to look at our code controlling NoScript as well.[1]
Note also - Policy.js shows the Default tab permissions are only
supposed to be: "frame, fetch & other."
Everytime I start TBB, *ALL permissions* are enabled again under Default
tab, not just the 3 shown. NoScript 10 in Firefox saves custom settings
& only has the 3 permissions enabled under Default tab.
Re: the permissions, yes, that's again because NoScript serves a
distinct purpose in Tor Browser (which is different from its default
usage in other browsers).
This was reported right after NS 10 landed in TBB & still not fixed.
Like users aren't supposed to touch them. NoScript saving settings
between sessions - if users choose - should be fairly simple. Most apps
outside of TBB allow it.
In TBB 8.0 - 8.4, backing up NS settings after changes still doesn't
work, but works OK in Firefox.
That's fixed in our alpha releases, provided you flip a preference.[2]
We plan to backport that fix, probably to the next stable, but won't
make it easier to mess with NoScript's settings as the risk to shoot
oneself in the foot by tweaking/"tuning" NoScript is pretty high.
Georg
[1]
https://gitweb.torproject.org/torbutton.git/tree/src/modules/noscript-control.js
[2]https://trac.torproject.org/projects/tor/ticket/27175
