#20366: NoScript allows all 3rd party scripts when base domain is blocked ------------------------------------------+------------------------- Reporter: joebt | Owner: Type: defect | Status: closed Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: invalid Keywords: NoScript, Cascade, 3rd party | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:2 joebt]: > I didn't discuss it directly with Giorgio, but NoScript forum's long time main moderator, barbaz, claimed this feature "Cascade top document's permissions...." was introduced at Tor devs' request. Yes, that is true. > I haven't confirmed that. If true, one question is, was this behavior under a specific condition what Tor Project wanted or even considered? Whether if a base domain is blocked, all 3rd party sites should be '''shown''' as allowed or blocked. This was for the medium-high security level where we only allow scripts on HTTPS pages. This means if http:// is used in the URL bar then no script on that page is allowed to get executed. If https:// is used only scripts loaded with https:// are allowed to get executed. > When base domain is blocked, not sure if allowed 3rd party sites / scripts would '''ever''' under any circumstance be able to execute under NS or TBB. Key phrase is "ever under any circumstance," vs. "probably won't." If you mean with "blocked" doing that manually by blacklisting a domain, I don't know. That's not how we use/intend to use that feture. > Barbaz gave no real explanation - why or when the described behavior would be desirable or expected by most users. > > Even if 3rd party scripts could '''never''' execute when a base domain is blocked, showing them as "allowed" is probably disconcerting and not what users prefer to see. Far less significant GUI quirks than this have been fixed. > > If enabling some TBB / Tor Button option made it incorrectly show "You are NOT connected to Tor network," most users wouldn't want to ignore that as just a quirk. True, but note the different scenario: here we are the ones that are responsible for the TBB/Torbutton option. Thus, it falls into our bug tracker. But on the other hand we are not maintaining NoScript nor are we patching it before compiling or plan to do so. We just use a feature of it as it is expected to work. If there are folks like you who want to have it function in a different use-case as well, going to the NoScript author(s) is the way to do it. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20366#comment:3> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs