Scripts

Basics- My Doubts and Confusions

So, I was watching a video by The Hated One, and they recommended setting the security level to “Safest” in Tor Browser’s settings. This disables features like JavaScript for better security. To unbreak websites, the video suggested using the NoScript add-on.

I realized that NoScript and Tor Browser’s security settings are not different; they are synced. For example, changes in Tor settings directly affect NoScript.
See how NoScript updates dynamically when I change settings in Tor Browser:

BTW By default, NoScript is not visible in the toolbar. I had to enable it from the add-ons manager.

1800×878 78.2 KB

I set the security level to “Safest” and tried to unbreak websites like Reddit. Here’s what I found:

If I disable everything in NoScript settings (see below), why does it still load some content? Let’s take DuckDuckGo for eg:

Is it because certain elements in DuckDuckGo are just plain HTML? But shouldn’t “Other” settings cover that?

Reddit, however, doesn’t load in the same way:

btw Resetting NoScript to default settings/preset is easy; I just toggle the security level in Tor Browser back and forth:

What does the “Override Tor Browser’s Security Level preset” checkmark do?

From my testing, it only enables additional settings to mark domains as trusted or untrusted. That’s it.

BTW you see, the website is still visible even after unchecking all the settings. I mentioned this this earlier.

Let’s say I visited a website, enabled the “Override” button, and set the domain to trusted. Then, I visit another website (or even stay on the same site), and as soon as I uncheck the “Override” button, shouldn’t it just revert back to the default settings? Why does it still stay on trusted? Is this expected behavior?

So let’s say I want to browse in a set where I disable everything by default, including on Default preset and Untrusted preset both. For example, I’d like to mark unsafe websites like malwaredotcom(just as an example here) as untrusted to not not load up anything from that domain. (By the way, as shown above with DuckDuckGo and that other website, some content still loads even in these scenarios in default mode with everything checked, and the same happens in untrusted mode with everything unchecked btw.)

Do I need to check the “Override settings” option to apply this setup? Or will it follow the standard settings preset? where NoScript and other elements are allowed to load by default? (For instance, “LAN” and some elements on untrusted sites are enabled)

From my understanding, the “Override settings” checkbox lets you create permanent rules for websites, such as marking them as trusted or untrusted through the NoScript add-on. That’s it—nothing more. right?

So, if I don’t create permanent rules (trusted or untrusted), it doesn’t matter whether the “Override” checkbox is ticked or not, right? It seems to function the same way regardless.

If I go into the add-on settings and create a rule marking malwaredotcom as untrusted, it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?

So basically, the checkbox only allows you to create rules via the add-on settings. It doesn’t affect anything else, right?

What I am trying to do. Is this a safe approach? I was watching a video by someone on YouTube, and they suggested this setup, but I’m concerned it might make me stand out.
I’m also concerned about another issue. Let’s say I’m using the default strict mode or preset. Typically, some website functionality would still work by default, but in my case, nothing works at all. My first instinct would be to set things to ‘temporarily trusted,’ which would end up loading almost everything, creating a much bigger privacy concern, right?
I think in this situation, instead of resorting to ‘temporarily trusted,’ using the custom mode might be a better option right?. NoScript also highlights certain elements and enabling those should help make the website work without compromising privacy.

IDK, Please let me know, you guys, which setup I should continue with, but before I proceed, I want to fully understand everything first.

How to Unbreak Websites?

See this:
On “Safer” mode (Nothing changed with NoScript) websites work fine:

On “Safest” mode, ofc the sites would be broken but even after marking domains as temporarily trusted the website still doesn’t work:

Even setting them to “Temporarily Restricted” doesn’t work:

What is happening here? I do not understand the link between the privacy settings in Tor and NoScript.

---

Addons in Tor browser

Using uBlock Origin (uBO) in Tor

I am aware that it is not recommended to install filter-based extensions like uBO in Tor Browser. However, Tails OS includes uBO by default in their Tor Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser?
If there is no risk, should I install uBO in the regular Tor browser? If there is a risk, should I disable uBO in Tails Tor browser?

Other Extensions in Tor Browser

Can we use extensions like Bitwarden in Tor? Bitwarden’s website itself promotes its use in Tor:

ig it’s not mandatory to avoid installing addons, as there is logic behind. Can you provide scenarios and some addons where installing them is completely fine? Also, I like to know if use any addons in your Tor browser right now.

Hi Sibling
Thanks for summarizing these observations.

I found similar results as you, especially trying to use Noscript as override with Browser set to Safest. It looks like that there are certain website capabilities disabled in Safest mode which cannot be re-enabled by Noscript override though I’ve not managed to work out categorically what they are.

If you do want a baseline which gives more control - for better and for worse! - I think this can be achieved by setting the Tor Browser to ‘Safer’ and then set Noscript to “Override Tor Browser’s Security Level preset” but have Noscript default to treatment of sites as completely Untrusted (without customizing the Noscript treatment of Untrusted). As far as I can tell this disables almost all website capabilities by default but does allow overrides that can be used to make sites fully functional. Open Question - if using this approach, am I actually gaining any extra protection using the Tor Browser Safer preset vs the Standard one?

I found similar results as you, especially trying to use NoScript as an override with the Browser set to Safest. It looks like there are certain website capabilities disabled in Safest mode that cannot be re-enabled by NoScript override.

I mean, yeah, so what’s the point of NoScript then? Also, from what I understand, Tor shouldn’t block anything—it’s NoScript that is managing the blocking for Tor.

though I’ve not managed to work out categorically what they are.

Same. Not related to this, but I found this post, which discusses what the different options in NoScript can block and what filters are used.

If you do want a baseline which gives more control - for better and for worse! - I think this can be achieved by setting the Tor Browser to ‘Safer’ and then set NoScript to “Override Tor Browser’s Security Level preset” but have NoScript default to the treatment of sites as completely Untrusted (without customizing the NoScript treatment of Untrusted). As far as I can tell, this disables almost all website capabilities by default but does allow overrides that can be used to make sites fully functional.

I don’t think so. Using ‘Safer’ from Tor settings shouldn’t break anything in the first place. In ‘Safer’ mode, mostly everything is allowed except for some media and WebGL, which are click-to-play.

Also, talking about the checkmark “Override Tor Browser’s Security Level preset,” I don’t think it should make any difference because, from my testing, that checkmark just lets you create permanent rules. The rules will remain even after restarting Tor, and nothing else. Secondly, in the Safest mode, things are just not broken, as I said. So that checkmark is pointless if you don’t make any rules, based on my testing.

You know what? I got an idea. What if you first set the security to Safest, then open the NoScript extension settings and export a backup file, Then set the security level to Safer again from Tor settings, but open the NoScript settings and import the backup config we just created.
As my theory suggests, Tor doesn’t block anything—the modes are just presets for the NoScript settings. I want you to let me know if the sites load or not after setting everything to Trusted or even temporarily disabling NoScript for the website (you can see from my previous post, even after setting the site to unrestricted in NoScript, things were not loading). Do let me know what happens with you.

Question - if using this approach, am I actually gaining any extra protection using the Tor Browser Safer preset vs the Standard one?

From what I understand, your preset basically means you are first setting the security level to Safest and then just checking the “Override Tor Browser’s Security Level preset” mark. In my theory, it shouldn’t really matter, as I told you—the override button doesn’t do anything. You are just using the protection of Safer mode, in which media and WebGL are click-to-play.

In my theory, you should be more anonymous in the Standard mode because that’s the setting most Tor users are using (most Tor users don’t bother changing settings, in my opinion). Even blocking some things can make you stand out more compared to people who are using the default settings. And in my theory, even blocking some JavaScript (or all JavaScript) doesn’t make much difference, as fingerprinting and tracking can still be done with just HTML and CSS.

NoScript is more about security, in my opinion. It’s useful if there are exploits in the website or to protect against things like XSS attacks and cross-tab leak protection, which is why NoScript was built in the first place.

Talking about me, I’m also a user like you and might be wrong …

There has been no reply from the mods yet. I guess that’s because I opened this post during the holiday season, and the mods were out for the holidays. They were back on the 6th, so I think I should post this exact thing again or create a new post asking them to review it, or maybe ping the mods here so they can see the post and reply. I think they are the best people to reply to everything.

I think the Noscript settings themselves allow for more fine-grained control than the main Safest, Safer and Standard presets and, since these are time-consuming to set, you can turn on “Override Tor Browser’s Security Level preset” to remember them provided no switching between Safest, Safer and Standard presets. This flag would be better called e.g. “Remember customizations between Tor Browser sessions”. Fair enough if you don’t want this persistence - I think you are correct that you can achieve exactly the same effects within a browser session without persistence.

…except that I am customizing the standard settings for Noscript Default and Untrusted under ‘Safer’ so they match the standard settings used for these under ‘Safest’. I would expect this to improve normal security in Safer mode with exceptions only for the sites I give Trusted or custom access to. Unfortunately the export and re-import of Noscript settings does not change anything so we still need more clarity on the effects of the Safest, Safer and Standard presets not manifest in Noscript.

I think the Noscript settings themselves allow for more fine-grained control than the main Safest, Safer and Standard presets and, since these are time-consuming to set, you can turn on “Override Tor Browser’s Security Level preset” to remember them provided no switching between Safest, Safer and Standard presets. This flag would be better called e.g. “Remember customizations between Tor Browser sessions”. Fair enough if you don’t want this persistence - I think you are correct that you can achieve exactly the same effects within a browser session without persistence.

Yeah, that’s the whole purpose of overriding Tor Browser’s security level preset. If we don’t mark anything as ‘Trusted,’ it doesn’t matter whether the checkbox is ticked or not, right?

…except that I am customizing the standard settings for Noscript Default and Untrusted under ‘Safer’ so they match the standard settings used for these under ‘Safest’. I would expect this to improve normal security in Safer mode with exceptions only for the sites I give Trusted or custom access to.

First, switching between profiles resets everything to the defaults for me (as I showed in the post)

I would expect this to improve normal security in Safer mode with exceptions only for the sites I give Trusted or custom access to.

Hmm, I guess you’re right. The things blocked by Tor Browser’s security level can’t be re-enabled with NoScript (which is what NoScript is meant for), but I’m not entirely sure. What you’re doing—allowing things through Tor’s security level but blocking them with NoScript—does that even work?
Not sure if it’s a good idea, though, as it might make you stand out more (I even asked about this in my post—it seems like that long post covers pretty much everything about NoScript, lol.)

It’s been more than a month since I wrote this long post, and I haven’t received a reply from the mods/staff (probably because it was holiday season back then). But I guess I should ping them now to follow up. @gus @championquizzer @WofWca @atari could you guys take a look please

I’m undereducated in this topic maybe @ma1 or @morgan might help here?

tldr; please don’t modify NoScript settings (or Firefox prefs for that matter) unless you really actually truly understand what you’re doing, or if you don’t actually care about the security/privacy features of Tor Browser in which case sure yolo.

---

Tor Browser uses NoScript in part to define the security level presets (which is why modifying NoScript settings and/or Security Level modifies the other in seemingly strange ways).

The NoScript icon was deliberately removed from the toolbar by default in new installs several years ago. In part this is because user research showed that users have a generally poor mental model of the security level and NoScript settings, and so if given the opportunity, they would go in and modify settings in an effort to unbreak a particular website they use. The website may end up getting unbroken, but as a side-effect they may alter global settings which affect all websites and in doing so, leaving them potentially more vulnerable to hypothetical JS-related vulnerabilities and definitely more fingerprintable.

The entire point of the security level UX is to provide users with options they are comfortable with based on their own personal risk or threat model, while minimising the number of possible knobs and switches users can modify. It is important for the browser’s fingerprinting protections (which prevent/minimise user tracking across websites) to have its users look as alike as possible. Without this bucketisation with security levels, everyone would look a bit different based on what settings they modify and trackable arouond the internet, even when using tor for anonymity.

Please refer to @morgan’s explainer above for the “canonical” Tor position and the very sound reasons behind the Tor Browser’s Security Levels UX, which uses NoScript as its back-end.

I’m just chiming in (w/ my NoScript maintainer hat on) to confirm that Override Tor Browser settings is “just” about persistence over browser restarts.

As long this preference is unchecked (default), any change to NoScript’s settings made from NoScript’s UI for a certain site can only be temporary and is erased on browser restart (or New Identity): current Security Level settings are restored for every site in the new session.

On the other hand, no matter if the “Override Tor Browser Settings” preference is checked or not, selecting a Security Level in Tor Browser’s own UI resets NoScript settings to Tor Browser’s defaults for the chosen Level. Furthermore, using the NoScript Options>Reset button resets NoScript to Tor Browser’s defaults for the current level.

In my opinion, the only case for a Tor Browser user to directly change NoScript’s settings is their threat model requiring to minimize the browser’s attack surface (mostly against zero day vulnerabilities) and therefore them selecting the “Safest” Security Level (which is about equivalent to the “stock” NoScript mode in other browsers such as Firefox or Chrome). Being the “Safest” level very strict (all active content and JavaScript disabled everywhere), those users may need to selectively grant some permissions to an otherwise inaccessible or broken website, which currently can be done only from NoScript’s UI. Even then, I recommend NOT to check the “Override Tor Browser Settings” option, in order to prevent you from accidentally granting permanent non-standard permissions, and therefore to reduce your fingerprint exposure as much as possible.

Thanks to you and Morgan for your explanations!
I would be very happy to use the ‘Safest’ preset and only to mark a site occasionally and temporarily as Trusted to be able to get the content to display.
Unfortunately this does not work per both Sibling’s and my findings. Take Reddit as an example.
In Safest mode, even when I mark Reddit as temporarily fully trusted in NoScript, the site does not load correctly. It only loads with preset = Safer or Standard. I would prefer not to change my overall preset as this affects all other current browsing. Is this intended?

If you set both reddit.com and redditstatic.com to TRUSTED Reddit should mostly work: as far as I can tell the only problem is SVG images (like the reddit logo) being rendered as CSS garbage because Safe mode additionally flips the global svg.disabled preference to true, which is out of NoScript’s scope.

There’s actually been some discussion of rather making SVG click to play / controlled by NoScript (e.g. Make SVG click-to-play and support fallback (#20314) · Issues · The Tor Project / Applications / Tor Browser · GitLab ), maybe it’s time to re-prioritize this.

Thank you for the explanation.
I confirm that the Reddit formatting issues do seem to be fully resolved with svg.disabled set to False. I don’t know enough to fully gauge the wisdom of adding an svg override option to NoScript but there are certainly plenty of other sites that do seem to need svg to present correctly and I think this makes using the Safest preset usable by exception only for normal browsing use.
Thanks

Sorry, I am a bit late. I was testing things more before writing this comment. Thanks to @cheshire_cat for asking the questions that were going around in my head and being able to ask them before me in proper language lol.
I am questioning/answering all the questions/answers in this very one comment with proper mentions and line breaks to separate them so it’s easier to read and understand.

---

@morgan Thank you for your comment about not changing the browser preset. But from my understanding, one of the reasons NoScript was developed was to have secure settings for other websites and temporarily (or even permanently) allow only safe websites or the ones we decide to fully render.
This is fundamentally important. Let’s say someone is from a heavily censored area, and they want to access the BBC website. They might want to completely unbreak/allow just the BBC website but keep the restrictions on all other websites to protect themselves from accidentally clicking on harmful sites.

But it seems like it doesn’t work that way (I will go into that below).

---

@ma1 Thank you so much for your replies.

Override Tor Browser settings is “just” about persistence over browser restarts.
…
Furthermore, using the NoScript Options > Reset button resets NoScript to Tor Browser’s defaults for the current level.

Thank you for confirming that

In my opinion, the only case for a Tor Browser user to directly change NoScript’s settings is when their threat model requires minimizing the browser’s attack surface (mostly against zero-day vulnerabilities), and therefore, they select the “Safest” Security Level. Being the “Safest” level very strict, it blocks active content and JavaScript everywhere.

You are right! I feel like it is over-exaggerated or fear-mongered to always use the Tor Browser in the safest level [but it’s not always true I guess] It mainly depends on the threat model, but for a normal everyday person, browsing in the safer mode should be fine…
I guess the belief that you should always use the Tor Browser only on the safest level and use NoScript to allow sites comes from the Darknet Bible’s JavaScript section. But that guide is meant for people whose threat model involves buying you know what from the dark web. Though, me and everyone feel like it’s an awesome place to understand things like PGP and other security concepts.

---

by @ma1

Those users may need to selectively grant some permissions to an otherwise inaccessible or broken website, which currently can be done only from NoScript’s UI.

by @cheshire_cat, who has the same question as me

I would be very happy to use the ‘Safest’ preset and only mark a site occasionally and temporarily as Trusted to be able to get the content to display.
Unfortunately, this does not work, as both Sibling’s and my findings show. Take Reddit as an example.
In Safest mode, even when I mark Reddit as temporarily fully trusted in NoScript, the site does not load correctly. It only loads with the preset set to Safer or Standard.

I guess I found the answer to this…
As @ma1 said:

The problem is SVG images (like the Reddit logo) being rendered as CSS garbage because Safe mode additionally flips the global svg.disabled preference to true, which is out of NoScript’s scope.

It seems my understanding in the original post, where I said:

The security level only changes the settings of NoScript. It doesn’t have any capability to block things on its own. Every blocking is done by NoScript, no one else.

After a bunch of testing, it seems like I was wrong.
The security level preset settings not only change NoScript’s settings, but also modify about:config settings in the Tor Browser, which block certain elements from loading. Allowing them is out of NoScript’s scope, as @ma1 mentioned.
By the way, I have been trying to make a list of these changes…

safest.js is the prefs.js file that was generated when the Security Level Preset was set to “Safest,” and mid.js was generated when the preset was set to “Safer.” I named them this way so they are easier to compare and understand.

by @cheshire_cat

I confirm that the Reddit formatting issues do seem to be fully resolved with svg.disabled set to False.

That’s because when setting svg.disabled from about:config in Tor Browser, the Security Level literally shifts back to “Safer,” which you can even visually see in the Tor settings.

This happens because the Security Level Preset affects not only NoScript settings but also about:config (and possibly other things that I’m not aware of yet).

---

So now, the question arises:
What is the way to have Safest protection on random websites we visit but Safer protection on the websites we trust/allow to unbreak them? NoScript was supposed to handle that task, but it clearly falls short.

This is the preference that @cheshire_cat and I have been trying to achieve, as also said:

I would be very happy to use the ‘Safest’ preset and only to mark a site occasionally and temporarily as Trusted to be able to get the content to display.

---

This is by design - don’t touch things

Preferably we do not want any users to go changing about:config preferences. if you do then that’s on you. You are literally asking to use Safest but then enabling SVGs which can execute code [1][2][3][4]

[1] SVG images can contain JavaScript | Hacker News
[2] Can't SVG's also be used to run code? Yes, you can: https://stackoverflow.com/qu... | Hacker News
[3] CVE - Search Results // firefox
[4] CVE - Search Results // everyone

@thorin
I understand that SVG introduces risk. Does its temporary and per-site use introduce more risk than using the Safest preset and then marking a site as Trusted in NoScript which enables Javascript anyway?

Folding SVG control into NoScript makes a lot of sense to me.
Many thanks

Thank you so much for coming here, @thorin .

Sure, Thorin, I won’t. I was just testing things out to understand how it works. Unfortunately, I don’t have enough experience to analyze the code and fully grasp how the application behaves rn. But Thank you for sharing that glimpse of the source code! I will definitely take a look at it and hope to contribute one day.

As mentioned earlier, was just a test. The setup that Cheshire_Cat and I are trying to achieve involves maintaining the safest protection globally while allowing some to use a safer profile to essentially unblock them. How can we achieve this setup? NoScript was advertised as the tool to unbreak websites or revoke the restrictions imposed on them, but it can’t do because the website blocking not only done by NoScript but also by about:config, which is beyond NoScript’s capabilities. The only way to achieve this is if SVG blocking is handled by NoScript and not the Tor browser’s about:config, as said by ma1, correct?

---

So clearly, NoScript is not the way to unbreak websites. Then what is?
btw mentioning it again- This is the setup me and cheshire_cat are trying to achieve:

How to enable it on a per-site basis? As far as I understand, it can only be enabled or disabled from about:config, and I do not think it is possible to add exceptions to those…

This only enables JavaScript; the SVGs remains blocked and enabling them with NoScript is not possible at the moment.

Yes, this is not implemented yet, as the pull request is still open. As you (@cheshire_cat) mentioned, “Does its temporary and per-site use introduce more risk than using the Safest preset and then marking a as Trusted inScript, which enables JavaScript anyway?” I am curious how you are able to enable it with NoScript at this moment??

---

---

You enabled it from the about: settings, correct?

No. I did it by changing that single item out of the zillions under about: config.
The question seems to be whether to move this under NoScript control for greater flexibility. Per my question I’m also wondering the incremental risk of turning on SVG on a website with JS already enabled via NoScript…

j/k … if you really want to see the svg, open the console

@thorin

j/k … if you really want to see the svg, open the console

LMFAO

Jokes aside, is there no other way to view the content right now? if not, isn’t this a flaw or bug in the Tor Browser?

For now, I see only one workaround:

1. Set the security level to Safest and then go to NoScript to export a backup.
2. Change the security level to Safer, then import the NoScript backup we just created.

This way, JavaScript and other elements will still be blocked by NoScript, but SVG and certain other features blocked by the browser will remain functional.

Similar to what @cheshire_cat asked.