#31798: wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser -----------------------+------------------------------------------ Reporter: adrelanos | Owner: tbb-team Type: defect | Status: new Priority: Medium | Component: Applications/Tor Browser Version: | Severity: Normal Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -----------------------+------------------------------------------ Noscript, file
{{{ {73a6fe31-595d-460b-a920-fcc0f8843232} }}} full path {{{ tor-browser/Browser/TorBrowser/Data/Browser/profile.default/browser- extension-data/{73a6fe31-595d-460b-a920-fcc0f8843232} }}} when extracted contains file {{{ common/Policy.js }}} which contains a list of websites. {{{ addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms google.com googlevideo.com gstatic.com hotmail.com live.com live.net maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com nflxvideo.net noscript.net outlook.com passport.com passport.net passportimages.com paypal.com paypalobjects.com securecode.com securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com yahooapis.com yimg.com youtube.com ytimg.com }}} Related source code: {{{ function defaultOptions() { return { sites:{ trusted }}} File {{{ legacy/defaults.js }}} is similar. Under [https://forums.whonix.org/t/noscript-with-security-slider-at- safest-permits-around-30-sites/8160 conditions] which are not clear to be yet how to reproduce this can lead to white listing these websites in noscript even though Tor Browser security slider is set to maximum. It's arguable if addons.mozilla.org should be whitelisted by default (I won't argue about it) but for sure netflix, paypal, youtube and others don't deserve special treatment by Tor Browser. Obvious tracking and security risk. Looks like pressing the reset button in noscript also results in setting these websites to trusted by default in noscript. Therefore, please kindly consider to remove that whitelist from noscript. Additional suggestions: * Have a unit test that greps the source code for (these) websites so these aren't reintroduced in later (noscript) add-on versions. * Report to upstream (noscript). Related: https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs- zendcdn-net/ -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31798> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs