https://forum.torproject.org/t/understa ... ions/16437
I was trying to post the exact same thing properly here properly, but for some reason, I couldn't post it. It said the post was blocked due to anti-spam.
			
			
									
						
										                        Doubts and Confusions
Doubts and Confusions
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
						Re: Doubts and Confusions
You can private message the exact text you want to post to an active Support Team member and we will try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.
Replying to the NoScript-related part of your Tor forum post:
NoScript blocks active content. For an overview of what NoScript can block, see viewtopic.php?t=26285 and https://noscript.net/usage/#crosssite-protectionsIf I disable everything in NoScript settings (see below), why does it still load some content?
No. See the sticky for the meaning of "other"shouldn’t “Other” settings cover that?
In non-Tor-based browsers, this setting is labeled "Enable setting permanent permissions in incognito/private tabs. BEWARE: doing this can leak site information!"What does the “Override Tor Browser’s Security Level preset” checkmark do?
Yes, this is expected. You marked the site permanently Trusted.Let’s say I visited a website, enabled the “Override” button, and set the domain to trusted. Then, I visit another website (or even stay on the same site), and as soon as I uncheck the “Override” button, shouldn’t it just revert back to the default settings? Why does it still stay on trusted? Is this expected behavior?
*Always* check the changelogs BEFORE updating that important software!
			                        Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
						Re: Doubts and Confusions
Thanks for the replay! 
I just PM the post with proper questions and formatting and stuff to a moderator with username barbaz
Wating for him to repost it...
edit: ahh so you Barbaz right! Could you please repost it please! I sent you PM
			
			
													I just PM the post with proper questions and formatting and stuff to a moderator with username barbaz
Wating for him to repost it...
edit: ahh so you Barbaz right! Could you please repost it please! I sent you PM
					Last edited by Sigling on Sun Jan 05, 2025 2:27 pm, edited 1 time in total.
									
			
						
										                        Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
						Re: Doubts and Confusions
Scripts
My Doubts and Confusions
So, I was watching a video by The Hated one on youtube, and they recommended setting the security level to “Safest” in Tor/Mullvad Browser’s settings. This disable features like JavaScript for better security. To unbreak websites, the video suggested using the NoScript add-on.
I realized that NoScript and Tor Browser/Mullvad Browser’s security settings are not different; they are synced. For example, changes in Tor settings directly affect NoScript.
See how NoScript updates dynamically when I change settings in Tor Browser/Mullvad Browser:

I set the security level to “Safest” and tried to unbreak websites like Reddit. Here’s what I found:  

If I disable everything in NoScript settings (see below), why does it still load some content? Let’s take DuckDuckGo for eg:

Is it because certain elements in DuckDuckGo are just plain HTML? But shouldn’t “Other” settings cover that?
Reddit, however, doesn’t load in the same way:
 What does the “Override Tor Browser’s Security Level preset” checkmark do?
What does the “Override Tor Browser’s Security Level preset” checkmark do?  

From my testing, it only enables additional settings to mark domains as trusted or untrusted. That’s it.

Let’s say I visited a website, enabled the “Override” button, and set the domain to trusted. Then, I visit another website (or even stay on the same site), and as soon as I uncheck the “Override” button, shouldn’t it just revert back to the default settings? Why does it still stay on trusted? Is this expected behavior?  

So let’s say I want to browse in a set where I disable everything by default, including on Default preset and Untrusted preset both. For example, I’d like to mark unsafe websites like malwaredotcom(just as an example here) as untrusted to not load up anything from that domain. (By the way, as shown above with DuckDuckGo and that other website, some content still loads even in these scenarios in default mode with everything checked, and the same happens in untrusted mode with everything unchecked btw.)

Do I need to check the “Override settings” option to apply this setup? Or will it follow the standard settings preset? where NoScript and other elements are allowed to load by default? (For instance, “LAN” and some elements on untrusted sites are enabled)
From my understanding, the “Override settings” checkbox lets you create permanent rules for websites, such as marking them as trusted or untrusted through the NoScript add-on. That’s it—nothing more. right?
So, if I don’t create permanent rules (trusted or untrusted), it doesn’t matter whether the “Override” checkbox is ticked or not, right? It seems to function the same way regardless.
If I go into the add-on settings and create a rule marking malwaredotcom as untrusted like this , it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?
, it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?
So basically, the checkbox only allows you to create rules via the add-on settings. It doesn’t affect anything else, right?
What I am trying to do. Is this a safe approach? I was watching a video by someone on YouTube, and they suggested this setup, but I’m concerned it might make me stand out.
I’m also concerned about another issue. Let’s say I’m using the default strict mode or preset. Typically, some website functionality would still work by default, but in my case, nothing works at all. My first instinct would be to set things to ‘temporarily trusted,’ which would end up loading almost everything, creating a much bigger privacy concern, right?
I think in this situation, instead of resorting to ‘temporarily trusted,’ using the custom mode might be a better option right?. NoScript also highlights certain elements and enabling those should help make the website work without compromising privacy.
IDK, Please let me know, you guys, which setup I should continue with, but before I proceed, I want to fully understand everything first.
How to Unbreak Websites?
See this:
On “Safer” mode (Nothing changed with NoScript) websites work fine:

On “Safest” mode, ofc the sites would be broken but even after marking domains as temporarily trusted the website still doesn’t work:

Even setting them to “Temporarily Restricted” doesn’t work:

What is happening here? I do not understand the link between the privacy settings in Tor and NoScript.
___
Addons with NoScript
Using uBlock Origin (uBO) with NS
I am aware that it is not recommended to install filter-based extensions like uBO with NS Browser. However, Tails OS includes uBO by default in their Tor Browser also it's installed on the Mullvad Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser and the Mullvad Browser as I will be using NS?
If there is no risk, should I install uBO in the regular Tor browser(seems good to me in surface, ads will be blocked too)? If there is a risk, should I disable uBO in Tails Tor browser and the Mullvad Browser?
			
			
									
						
										                        My Doubts and Confusions
So, I was watching a video by The Hated one on youtube, and they recommended setting the security level to “Safest” in Tor/Mullvad Browser’s settings. This disable features like JavaScript for better security. To unbreak websites, the video suggested using the NoScript add-on.
I realized that NoScript and Tor Browser/Mullvad Browser’s security settings are not different; they are synced. For example, changes in Tor settings directly affect NoScript.
See how NoScript updates dynamically when I change settings in Tor Browser/Mullvad Browser:

Code: Select all
BTW By default, NoScript is not visible in the toolbar. I had to enable it from the add-ons manager, see the image of Tor browser by visiting the link
[url]https://forum.torproject.org/uploads/default/original/2X/7/7dfc23330177da2f099fa38892514f76c686ac26.png[/url]
If I disable everything in NoScript settings (see below), why does it still load some content? Let’s take DuckDuckGo for eg:

Is it because certain elements in DuckDuckGo are just plain HTML? But shouldn’t “Other” settings cover that?
Reddit, however, doesn’t load in the same way:
 
Code: Select all
btw Resetting NoScript to default settings/preset is easy; I just toggle the security level in Tor Browser back and forth, see this video:  
https://forum.torproject.org/uploads/default/original/2X/2/23a309b97f0d0092628a9126f6ececf3fb31d9c3.gif
From my testing, it only enables additional settings to mark domains as trusted or untrusted. That’s it.

Code: Select all
BTW you see, the website is still visible even after unchecking all the settings. I mentioned this this earlier.
So let’s say I want to browse in a set where I disable everything by default, including on Default preset and Untrusted preset both. For example, I’d like to mark unsafe websites like malwaredotcom(just as an example here) as untrusted to not load up anything from that domain. (By the way, as shown above with DuckDuckGo and that other website, some content still loads even in these scenarios in default mode with everything checked, and the same happens in untrusted mode with everything unchecked btw.)

Do I need to check the “Override settings” option to apply this setup? Or will it follow the standard settings preset? where NoScript and other elements are allowed to load by default? (For instance, “LAN” and some elements on untrusted sites are enabled)
From my understanding, the “Override settings” checkbox lets you create permanent rules for websites, such as marking them as trusted or untrusted through the NoScript add-on. That’s it—nothing more. right?
So, if I don’t create permanent rules (trusted or untrusted), it doesn’t matter whether the “Override” checkbox is ticked or not, right? It seems to function the same way regardless.
If I go into the add-on settings and create a rule marking malwaredotcom as untrusted like this
 , it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?
, it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?So basically, the checkbox only allows you to create rules via the add-on settings. It doesn’t affect anything else, right?
What I am trying to do. Is this a safe approach? I was watching a video by someone on YouTube, and they suggested this setup, but I’m concerned it might make me stand out.
I’m also concerned about another issue. Let’s say I’m using the default strict mode or preset. Typically, some website functionality would still work by default, but in my case, nothing works at all. My first instinct would be to set things to ‘temporarily trusted,’ which would end up loading almost everything, creating a much bigger privacy concern, right?
I think in this situation, instead of resorting to ‘temporarily trusted,’ using the custom mode might be a better option right?. NoScript also highlights certain elements and enabling those should help make the website work without compromising privacy.
IDK, Please let me know, you guys, which setup I should continue with, but before I proceed, I want to fully understand everything first.
How to Unbreak Websites?
See this:
On “Safer” mode (Nothing changed with NoScript) websites work fine:

On “Safest” mode, ofc the sites would be broken but even after marking domains as temporarily trusted the website still doesn’t work:

Even setting them to “Temporarily Restricted” doesn’t work:

What is happening here? I do not understand the link between the privacy settings in Tor and NoScript.
___
Addons with NoScript
Using uBlock Origin (uBO) with NS
I am aware that it is not recommended to install filter-based extensions like uBO with NS Browser. However, Tails OS includes uBO by default in their Tor Browser also it's installed on the Mullvad Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser and the Mullvad Browser as I will be using NS?
If there is no risk, should I install uBO in the regular Tor browser(seems good to me in surface, ads will be blocked too)? If there is a risk, should I disable uBO in Tails Tor browser and the Mullvad Browser?
Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
						Re: Doubts and Confusions
Thank you for reposting it and for linking to this post viewtopic.php?t=26285
Could you respond to other inquiries as well please?
			
			
									
						
										                        Could you respond to other inquiries as well please?
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
						Re: Doubts and Confusions
I don't know all answers to all your questions, but can additionally help with these two -
False. Such setup *is* recommended here: NoScript for security / controlling active content, uBlock Origin for wider-spectrum blocking including privacy related blocking, blocklist-based malware site blocking. etc.
NoScript and uBlock Origin can interact, but the interaction is manageable. Make sure you understand the interaction potential, and how to isolate issues to their actual cause. From what I've seen, the "not recommended to install NoScript with uBlock Origin" type recommendations out there seem to stem from:
- confusion/conflation with the prudent "don't install multiple adblock type extensions simultaneously" recommendation;
- people not realising the interactions between NoScript and uBlock Origin and as a result asking the wrong questions in the wrong community.
As a start to understanding how NoScript and uBlock Origin interact, I have these rules in uBlock Origin Dashboard > My Rules -
Code: Select all
no-csp-reports: noscript-csp.invalid false
* https://noscript-csp.invalid/ csp_report allow
behind-the-scene https://[ff00::]/nscl/ xmlhttprequest allowThe risk of using something like uBlock Origin in Tor browser is that websites can in theory fingerprint you based on what you block. Similarly, if you disable uBlock Origin where it is installed by default, you will become more fingerprintable (not only from blocking different set of resources, but also ACTUALLY more fingerprinted because more trackers will load - NoScript is not an anti-tracking tool).Sigling wrote: ↑Sat Jan 04, 2025 5:13 pm However, Tails OS includes uBO by default in their Tor Browser also it's installed on the Mullvad Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser and the Mullvad Browser as I will be using NS?
If there is no risk, should I install uBO in the regular Tor browser(seems good to me in surface, ads will be blocked too)? If there is a risk, should I disable uBO in Tails Tor browser and the Mullvad Browser?
If it's a concern to you, choose a setup where uBlock Origin is installed by default and do not customize what is blocked (regardless of what tool is doing the blocking).
*Always* check the changelogs BEFORE updating that important software!
			                        Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
						Re: Doubts and Confusions
Thank you for the answers to some questions. I have been playing around and trying to understand the rules you provided. I will be waiting for the reply to the other questions as well.
			
			
									
						
										                        Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0