Struggling with JavaScript and Add-Ons in Tor Browser

I was reading this doc.tb-manual.torproject.org/plugins/ and I’m running into some challenges. Managing JavaScript with NoScript is tricky as some HTTPS websites still don’t work even when I enable scripts for them. Switching between “Safer” and “Safest” modes causes inconsistencies too, with certain sites breaking completely in “Safest.” Additionally, I know Tor discourages add-ons, but I could really use tools like a password manager without compromising security. Lastly, some older sites using HTML5 for video still don’t load properly. Has anyone found a way to manage these issues while keeping Tor Browser functional and secure? Would love some advice!

Some time, in a galaxy far far away … and a very long time ago … uBlock Origin was mooted for Tor Browser. In fact it ships with TB on Tails. And Mullvad Browser (which is basically but not quite TB minus the tor part) also ships with uBO.

In a number of meetings and issues, we have (but no promises) come to the consensus that uBO is something we (I am not an employee but work a lot with the apps team) want in TB by default

some benefits (as I see them)

  • reduced requests for assets helping the tor network / latency = network perf
  • less 3rd party assets to load and run = clientside perf
  • privacy not really a factor because we have first party isolation, but it can’t hurt because it also includes 1st party tracking, also F those guys
  • security: ads are a common malware vector
  • enjoyment: using the web without a content blocker (uBO is not just an ad blocker) is just plain horrifying

But there’s a lot of water to go under the bridge before then mainly to do with fingerprinting and uBO UX. We would want to lock the filter lists, decide how and when to update them, and make user changes session only - i.e a “basic” uBO that achieves all of the above bullet points but breaks little by default and makes fingerprinting very very hard if not impossible

uBO has a JS setting: per site and globally. So in Firefox for example, you could globally disable JS and enable it for a few sites, or don’t block it and selectively block on some sites. It’s an extension and blocks scripts from loading/running (I assume inline ones as well).

NoScript integrates with Tor Browser (special TB powers) and disables JS at a browser level (by flipping a switch in prefs that web extensions can’t usually access). So in safest uBO can’t turn JS on. tldr; NoScript + uBO’s JS settings can cause gaps/issues

That said, in Safer mode, toggling uBO’s JS button would be easy - the problem is it’s after you loaded the web page with JS = so the damage is probably already done

I also know (because I work in this field) that … and I hate to say this, but changing to Safer, or from Safer to Standard actually requires a browser restart to be fully effective (there, the cat is out of the bag, maybe someone will take action now)

There’s no easy solution here for you

  • learn how to use NoScript @ma1 FYI
  • I’m not you, but why do you need to constantly change between Safer/Safest. If you’re prepared to switch to Safer or enable JS to unbreak a website, then you probably do not need Safest, if I follow you story correctly - just stick to Safer and enjoy not wasting time trying to configure every site
3 Likes

sorry for writing a book :slight_smile:

2 Likes

@thorin
Thanks for your post.
I only intermitttently visit websites e.g. Reddit where I need to unbreak the site. I want the protection of Safest for the majority of my browsing sessions. If I change to Safer to allow browsing of Reddit, I am making all my other current current browsing in other tabs less secure and I have to remember to switch back to Safest for the next session. Is there a better way to handle this need? Thanks

Install Tor Browser alpha (and let know if you find any bugs). Stick two icons on your desktop - TB stable and TB alpha (or whatever you like) - use the purple (stable) TB for regular everyday SAFEST - use the green (alpha) TB for your occasional SAFER

You can run them concurrently (might depend on your system - i think mac has isuses with using the same profile, which we don’t want), but I can’t give you exact instructions - and you might need different tor ports (IANAE on the network bits)

What is your OS and I’ll ping @morgan @PieroV @ebanam and for good measure @gus and see if one of them replies on how to do it after you tell us your OS

PS: be cool like us man, get an alpha going

2 Likes

Thank you @thorin for the suggestion.
I am running the Tor Browser on Debian and have been able to get Alpha working so I’ll give it a go and feedback on bugs…

I understand usability has to be balanced with privacy and security but at least from the usability side, I would still advocate for the ability to override from Safest for temporary unbreaking of specific sites:

  • allowing this kind of override could be disabled by default
  • maybe the override could allow a site to operate as if the browser was in Safer or Standard? I assume this would be less fingerprintable than custom NoScript…

Many thanks!

Managing JavaScript in Tor Browser is tricky; switching between “Safer” and “Safest” often causes site issues. For password management, consider using standalone tools like KeePassXC to maintain security. HTML5 video problems might require enabling specific scripts temporarily for those sites

1 Like

The problem is that the pref used to block JS is global and not site specific - same goes for some prefs used in safer (and some of those need a browser restart to take effect). We have issues upstream for these - make slider site specific (note it’s somewhat pointless upgrading the slider level after the fact), svg issues in safest (svgs can run code), svgs in safer are a pain point, the slider icon is meant to show a badge when something is not as per the level it should be - e.g. a user goes to safest, then changes the svg preference in about:config … and a few others (like some level changes require a restart but this is never done or prompted for @morgan!!!)

Long story short - there are very few changes from standard to safer (7 prefs I think) and then only 1 more to safest : and some of those 7 or so prefs are likely no longer an issue, due to years of work upstream and in standards (e.g. RLBox, RDD, increased sandboxing, and a lack of CVEs for ages etc). I personally am advocating for the removal of safer - but it needs more analysis and discussion

Tor Browser will keep data local to the installation directory (at least it tries to), so you can have multiple installations in different directories.

Multiple profiles should work too, but you’ll have to figure out what to do with the tor deamon.
Either you share one daemon between the two profiles (they should use different SOCKS credential, which should give you circuit isolation), or you can customize one of the profiles to use a different port.
Or, since you’re on Linux, you can use Unix domain sockets instead of TCP sockets.
More information here.

Of course, if you can help testing alpha, that will be very appreciated :smile:.
However, as the name suggests, stuff might break there.

Interesting. I was interpreting the NoScript ‘script’ checkbox as allowing JS to be turned off/on site by site. Is that wrong, then?

Thanks for explaining. I’ll try and read up on some of these topics.

Thanks for explaining @PieroV
I didn’t understand the feasibility of multiple installations. That 's good to know.
Per @thorin 's suggestion, I have just started using alpha with a separate profile and preset and have split my bookmarks to encourage right site usage with right profile and preset. Will see how this goes.
Thanks for sharing the link to the browser settings.
I have an independent Tor daemon with isolation enabled and am using different ports to access it ( I took a look at how it’s set up in Tails and adapted to my needs.) Seems to be working well.
I have lots more to learn on browser technologies and latest threats!

How advised is it to use wget or similar scrapers to download content over tor? Assuming you use torsocks wrapper. Would it avoid issues of fingerprinting?