#20366: NoScript allows all 3rd party scripts when base domain is blocked
------------------------------+------------------------------------------
     Reporter:  joebt         |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Applications  |    Version:
     Severity:  Normal        |   Keywords:  NoScript, Cascade, 3rd party
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+------------------------------------------
 An odd behavior if "Cascade top document's permissions to 3rd party
 scripts" is enabled in Advanced > Trusted tab.

  * With this enabled, even when the base domain - top document - is
 intentionally blocked, NoScript still allows all 3rd party scripts.  I
 think this is incorrect behavior and not what users expect, when base
 domains are still blocked.

 Then it lists the 3rd party sites under NS menu "Untrusted" group - but
 not marked untrusted.  Normally, when 3rd party sites are allowed, they're
 listed in main menuĀ  (where users can see them), with the option to Forbid
 individual sites.

 At best, it makes no sense to load 3rd party scripts - or show them as
 loaded, when the base domain is blocked.
 It's also confusing and misleading, based on NoScript's verbiage on this
 option's page.  It seems a waste of time, bandwidth to load 3rd party
 scripts if they're not going to be used.  At worst, a 3rd party developer
 learns to exploit 3rd party scripts being loaded when base domains are
 blocked.

  * The description in Trusted tab is, "Additional permissions for
 '''trusted''' sites."

   Keyword being "Trusted."  Blocking the base domain implies it is not
 trusted.

  * The option is called, "Cascade top document's '''permissions...."
 '''If the top document's permission status is __blocked__, then it's doing
 the opposite of its current permissions.  Only load 3rd party scripts if a
 base domain is allowed.

 Tor Project opted to override [wiki:NoScriptallowing NoScript]allowing
 some 3rd parties by default, via the extension-overrides.js file; e.g.,
 google.dom gstatic.dom ajax.googleapis.dom, etc.  But the Cascade option
 allows all 3rd party scripts when users have chosen not to allow scripts
 on the current page.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20366>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Reply via email to