The NoScript extension bundled with TB has a ‘Reset’ button. If I hit it, I’m warned that “ALL the NoScript preferences and site permissions will be reset to their default values immediately. This action cannot be reverted. Do you want to continue?”. NoScript’s options are then reset to a set of default values - for example all capabilities bar 4 are disabled in the Default policy. However, when I close and restart TB I find that NoScript’s options have been set to what I presume is TB’s own default. This enables all capabilities except ‘ping’, ‘unrestricted CSS’ and ‘LAN’ in the Default policy.
Questions: How does TB do this, where in the Tor Browser Bundle are TB’s default NoScript settings stored and can I disable this functionality?
NoScript intentionally provides a special communication channel for the Tor Browser to customize its settings in the ways that the Tor project deems more appropriate for each of the 3 security levels (Standard, Safer and Safest). More importantly, those settings are meant to be uniform across the entire Tor Browser user base, in order to make fingerprinting more difficult.
For the same reason, any changes you make to NoScript settings which diverge from those 3 big “buckets” are temporary, are never written to permanent storage and go away every time you quit the browser.
where in the Tor Browser Bundle are TB’s default NoScript settings stored
If you understand and accept the risks (either a remote adversary enumerating “interesting” sites and observing if they’re blocked by NoScript, or a local one examining your extensions storage files), just open NoScript Options > Advanced and check
Override Tor Browser’s Security Level preset
which will make your NoScript settings permanent until you uncheck it or you manually change the Security Level.
Thanks for the very helpful reply, just what I was after. I’m actually trying to fix a bug in my own code (a project to automate TB with Selenium). The problem is that under some circumstances the TB NoScript settings are not being applied when instantiating a TB driver. I’ll poke about in the source code starting with that link you provided to figure out why.
(either a remote adversary enumerating “interesting” sites and observing if they’re blocked by NoScript, or a local one examining your extensions storage files)
¡Ay, caramba! that’s an interesting and alarming fingerprinting technique - I can see the rationale for the standardization.