Understanding Tor Browser and NoScript: Doubts and Questions

Support Tor Browser Desktop
1

Scripts

Basics- My Doubts and Confusions

So, I was watching a video by The Hated One, and they recommended setting the security level to “Safest” in Tor Browser’s settings. This disables features like JavaScript for better security. To unbreak websites, the video suggested using the NoScript add-on.

I realized that NoScript and Tor Browser’s security settings are not different; they are synced. For example, changes in Tor settings directly affect NoScript.
See how NoScript updates dynamically when I change settings in Tor Browser:

BTW By default, NoScript is not visible in the toolbar. I had to enable it from the add-ons manager.

1800×878 78.2 KB

I set the security level to “Safest” and tried to unbreak websites like Reddit. Here’s what I found:

If I disable everything in NoScript settings (see below), why does it still load some content? Let’s take DuckDuckGo for eg:

1920×1010 179 KB

Is it because certain elements in DuckDuckGo are just plain HTML? But shouldn’t “Other” settings cover that?

Reddit, however, doesn’t load in the same way:

1920×1008 114 KB

btw Resetting NoScript to default settings/preset is easy; I just toggle the security level in Tor Browser back and forth:

What does the “Override Tor Browser’s Security Level preset” checkmark do?

932×172 29.6 KB

From my testing, it only enables additional settings to mark domains as trusted or untrusted. That’s it.

BTW you see, the website is still visible even after unchecking all the settings. I mentioned this this earlier.

Let’s say I visited a website, enabled the “Override” button, and set the domain to trusted. Then, I visit another website (or even stay on the same site), and as soon as I uncheck the “Override” button, shouldn’t it just revert back to the default settings? Why does it still stay on trusted? Is this expected behavior?

So let’s say I want to browse in a set where I disable everything by default, including on Default preset and Untrusted preset both. For example, I’d like to mark unsafe websites like malwaredotcom(just as an example here) as untrusted to not not load up anything from that domain. (By the way, as shown above with DuckDuckGo and that other website, some content still loads even in these scenarios in default mode with everything checked, and the same happens in untrusted mode with everything unchecked btw.)

1920×1008 70.4 KB

Do I need to check the “Override settings” option to apply this setup? Or will it follow the standard settings preset? where NoScript and other elements are allowed to load by default? (For instance, “LAN” and some elements on untrusted sites are enabled)

From my understanding, the “Override settings” checkbox lets you create permanent rules for websites, such as marking them as trusted or untrusted through the NoScript add-on. That’s it—nothing more. right?

So, if I don’t create permanent rules (trusted or untrusted), it doesn’t matter whether the “Override” checkbox is ticked or not, right? It seems to function the same way regardless.

If I go into the add-on settings and create a rule marking malwaredotcom as untrusted, it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?

So basically, the checkbox only allows you to create rules via the add-on settings. It doesn’t affect anything else, right?

What I am trying to do. Is this a safe approach? I was watching a video by someone on YouTube, and they suggested this setup, but I’m concerned it might make me stand out.
I’m also concerned about another issue. Let’s say I’m using the default strict mode or preset. Typically, some website functionality would still work by default, but in my case, nothing works at all. My first instinct would be to set things to ‘temporarily trusted,’ which would end up loading almost everything, creating a much bigger privacy concern, right?
I think in this situation, instead of resorting to ‘temporarily trusted,’ using the custom mode might be a better option right?. NoScript also highlights certain elements and enabling those should help make the website work without compromising privacy.

IDK, Please let me know, you guys, which setup I should continue with, but before I proceed, I want to fully understand everything first.

How to Unbreak Websites?

See this:
On “Safer” mode (Nothing changed with NoScript) websites work fine:

1919×1007 134 KB

On “Safest” mode, ofc the sites would be broken but even after marking domains as temporarily trusted the website still doesn’t work:

1920×1010 175 KB

Even setting them to “Temporarily Restricted” doesn’t work:

1920×1004 166 KB

What is happening here? I do not understand the link between the privacy settings in Tor and NoScript.

Addons in Tor browser

Using uBlock Origin (uBO) in Tor

I am aware that it is not recommended to install filter-based extensions like uBO in Tor Browser. However, Tails OS includes uBO by default in their Tor Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser?
If there is no risk, should I install uBO in the regular Tor browser? If there is a risk, should I disable uBO in Tails Tor browser?

Other Extensions in Tor Browser

Can we use extensions like Bitwarden in Tor? Bitwarden’s website itself promotes its use in Tor:

1920×1008 144 KB

ig it’s not mandatory to avoid installing addons, as there is logic behind. Can you provide scenarios and some addons where installing them is completely fine? Also, I like to know if use any addons in your Tor browser right now.

2 Likes
2

Hi Sibling
Thanks for summarizing these observations.

I found similar results as you, especially trying to use Noscript as override with Browser set to Safest. It looks like that there are certain website capabilities disabled in Safest mode which cannot be re-enabled by Noscript override though I’ve not managed to work out categorically what they are.

If you do want a baseline which gives more control - for better and for worse! - I think this can be achieved by setting the Tor Browser to ‘Safer’ and then set Noscript to “Override Tor Browser’s Security Level preset” but have Noscript default to treatment of sites as completely Untrusted (without customizing the Noscript treatment of Untrusted). As far as I can tell this disables almost all website capabilities by default but does allow overrides that can be used to make sites fully functional. Open Question - if using this approach, am I actually gaining any extra protection using the Tor Browser Safer preset vs the Standard one?

3

I found similar results as you, especially trying to use NoScript as an override with the Browser set to Safest. It looks like there are certain website capabilities disabled in Safest mode that cannot be re-enabled by NoScript override.

I mean, yeah, so what’s the point of NoScript then? Also, from what I understand, Tor shouldn’t block anything—it’s NoScript that is managing the blocking for Tor.

though I’ve not managed to work out categorically what they are.

Same. Not related to this, but I found this post, which discusses what the different options in NoScript can block and what filters are used.

If you do want a baseline which gives more control - for better and for worse! - I think this can be achieved by setting the Tor Browser to ‘Safer’ and then set NoScript to “Override Tor Browser’s Security Level preset” but have NoScript default to the treatment of sites as completely Untrusted (without customizing the NoScript treatment of Untrusted). As far as I can tell, this disables almost all website capabilities by default but does allow overrides that can be used to make sites fully functional.

I don’t think so. Using ‘Safer’ from Tor settings shouldn’t break anything in the first place. In ‘Safer’ mode, mostly everything is allowed except for some media and WebGL, which are click-to-play.

Also, talking about the checkmark “Override Tor Browser’s Security Level preset,” I don’t think it should make any difference because, from my testing, that checkmark just lets you create permanent rules. The rules will remain even after restarting Tor, and nothing else. Secondly, in the Safest mode, things are just not broken, as I said. So that checkmark is pointless if you don’t make any rules, based on my testing.

You know what? I got an idea. What if you first set the security to Safest, then open the NoScript extension settings and export a backup file, Then set the security level to Safer again from Tor settings, but open the NoScript settings and import the backup config we just created.
As my theory suggests, Tor doesn’t block anything—the modes are just presets for the NoScript settings. I want you to let me know if the sites load or not after setting everything to Trusted or even temporarily disabling NoScript for the website (you can see from my previous post, even after setting the site to unrestricted in NoScript, things were not loading). Do let me know what happens with you.

Question - if using this approach, am I actually gaining any extra protection using the Tor Browser Safer preset vs the Standard one?

From what I understand, your preset basically means you are first setting the security level to Safest and then just checking the “Override Tor Browser’s Security Level preset” mark. In my theory, it shouldn’t really matter, as I told you—the override button doesn’t do anything. You are just using the protection of Safer mode, in which media and WebGL are click-to-play.

In my theory, you should be more anonymous in the Standard mode because that’s the setting most Tor users are using (most Tor users don’t bother changing settings, in my opinion). Even blocking some things can make you stand out more compared to people who are using the default settings. And in my theory, even blocking some JavaScript (or all JavaScript) doesn’t make much difference, as fingerprinting and tracking can still be done with just HTML and CSS.

NoScript is more about security, in my opinion. It’s useful if there are exploits in the website or to protect against things like XSS attacks and cross-tab leak protection, which is why NoScript was built in the first place.

Talking about me, I’m also a user like you and might be wrong …

There has been no reply from the mods yet. I guess that’s because I opened this post during the holiday season, and the mods were out for the holidays. They were back on the 6th, so I think I should post this exact thing again or create a new post asking them to review it, or maybe ping the mods here so they can see the post and reply. I think they are the best people to reply to everything.

1 Like
4

I think the Noscript settings themselves allow for more fine-grained control than the main Safest, Safer and Standard presets and, since these are time-consuming to set, you can turn on “Override Tor Browser’s Security Level preset” to remember them provided no switching between Safest, Safer and Standard presets. This flag would be better called e.g. “Remember customizations between Tor Browser sessions”. Fair enough if you don’t want this persistence - I think you are correct that you can achieve exactly the same effects within a browser session without persistence.

…except that I am customizing the standard settings for Noscript Default and Untrusted under ‘Safer’ so they match the standard settings used for these under ‘Safest’. I would expect this to improve normal security in Safer mode with exceptions only for the sites I give Trusted or custom access to. Unfortunately the export and re-import of Noscript settings does not change anything so we still need more clarity on the effects of the Safest, Safer and Standard presets not manifest in Noscript.