Doubts and Confusions

Ask for help about NoScript, no registration needed to post
Sigling
Posts: 5
Joined: Fri Jan 03, 2025 3:18 pm

Doubts and Confusions

Post by Sigling »

https://forum.torproject.org/t/understa ... ions/16437

I was trying to post the exact same thing properly here properly, but for some reason, I couldn't post it. It said the post was blocked due to anti-spam.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
barbaz
Senior Member
Posts: 10981
Joined: Sat Aug 03, 2013 5:45 pm

Re: Doubts and Confusions

Post by barbaz »

Sigling wrote: Fri Jan 03, 2025 3:25 pm I was trying to post the exact same thing properly here properly, but for some reason, I couldn't post it. It said the post was blocked due to anti-spam.
You can private message the exact text you want to post to an active Support Team member and we will try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.

Replying to the NoScript-related part of your Tor forum post:
If I disable everything in NoScript settings (see below), why does it still load some content?
NoScript blocks active content. For an overview of what NoScript can block, see viewtopic.php?t=26285 and https://noscript.net/usage/#crosssite-protections
shouldn’t “Other” settings cover that?
No. See the sticky for the meaning of "other"
What does the “Override Tor Browser’s Security Level preset” checkmark do?
In non-Tor-based browsers, this setting is labeled "Enable setting permanent permissions in incognito/private tabs. BEWARE: doing this can leak site information!"
Let’s say I visited a website, enabled the “Override” button, and set the domain to trusted. Then, I visit another website (or even stay on the same site), and as soon as I uncheck the “Override” button, shouldn’t it just revert back to the default settings? Why does it still stay on trusted? Is this expected behavior?
Yes, this is expected. You marked the site permanently Trusted.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
Sigling
Posts: 5
Joined: Fri Jan 03, 2025 3:18 pm

Re: Doubts and Confusions

Post by Sigling »

Thanks for the replay!
I just PM the post with proper questions and formatting and stuff to a moderator with username barbaz
Wating for him to repost it...

edit: ahh so you Barbaz right! Could you please repost it please! I sent you PM
Last edited by Sigling on Sun Jan 05, 2025 2:27 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Sigling
Posts: 5
Joined: Fri Jan 03, 2025 3:18 pm

Re: Doubts and Confusions

Post by Sigling »

Scripts
My Doubts and Confusions

So, I was watching a video by The Hated one on youtube, and they recommended setting the security level to “Safest” in Tor/Mullvad Browser’s settings. This disable features like JavaScript for better security. To unbreak websites, the video suggested using the NoScript add-on.

I realized that NoScript and Tor Browser/Mullvad Browser’s security settings are not different; they are synced. For example, changes in Tor settings directly affect NoScript.
See how NoScript updates dynamically when I change settings in Tor Browser/Mullvad Browser:

Image

Code: Select all

BTW By default, NoScript is not visible in the toolbar. I had to enable it from the add-ons manager, see the image of Tor browser by visiting the link
[url]https://forum.torproject.org/uploads/default/original/2X/7/7dfc23330177da2f099fa38892514f76c686ac26.png[/url]
I set the security level to “Safest” and tried to unbreak websites like Reddit. Here’s what I found:

Image

If I disable everything in NoScript settings (see below), why does it still load some content? Let’s take DuckDuckGo for eg:
Image

Is it because certain elements in DuckDuckGo are just plain HTML? But shouldn’t “Other” settings cover that?

Reddit, however, doesn’t load in the same way:
Image

Code: Select all

btw Resetting NoScript to default settings/preset is easy; I just toggle the security level in Tor Browser back and forth, see this video:  
https://forum.torproject.org/uploads/default/original/2X/2/23a309b97f0d0092628a9126f6ececf3fb31d9c3.gif
What does the “Override Tor Browser’s Security Level preset” checkmark do?
Image
From my testing, it only enables additional settings to mark domains as trusted or untrusted. That’s it.
Image

Code: Select all

BTW you see, the website is still visible even after unchecking all the settings. I mentioned this this earlier.
Let’s say I visited a website, enabled the “Override” button, and set the domain to trusted. Then, I visit another website (or even stay on the same site), and as soon as I uncheck the “Override” button, shouldn’t it just revert back to the default settings? Why does it still stay on trusted? Is this expected behavior?

Image

So let’s say I want to browse in a set where I disable everything by default, including on Default preset and Untrusted preset both. For example, I’d like to mark unsafe websites like malwaredotcom(just as an example here) as untrusted to not load up anything from that domain. (By the way, as shown above with DuckDuckGo and that other website, some content still loads even in these scenarios in default mode with everything checked, and the same happens in untrusted mode with everything unchecked btw.)
Image

Do I need to check the “Override settings” option to apply this setup? Or will it follow the standard settings preset? where NoScript and other elements are allowed to load by default? (For instance, “LAN” and some elements on untrusted sites are enabled)

From my understanding, the “Override settings” checkbox lets you create permanent rules for websites, such as marking them as trusted or untrusted through the NoScript add-on. That’s it—nothing more. right?

So, if I don’t create permanent rules (trusted or untrusted), it doesn’t matter whether the “Override” checkbox is ticked or not, right? It seems to function the same way regardless.

If I go into the add-on settings and create a rule marking malwaredotcom as untrusted like this Image, it doesn’t matter if the “Override” checkbox is enabled or not; the rule still applies, right?

So basically, the checkbox only allows you to create rules via the add-on settings. It doesn’t affect anything else, right?

What I am trying to do. Is this a safe approach? I was watching a video by someone on YouTube, and they suggested this setup, but I’m concerned it might make me stand out.
I’m also concerned about another issue. Let’s say I’m using the default strict mode or preset. Typically, some website functionality would still work by default, but in my case, nothing works at all. My first instinct would be to set things to ‘temporarily trusted,’ which would end up loading almost everything, creating a much bigger privacy concern, right?
I think in this situation, instead of resorting to ‘temporarily trusted,’ using the custom mode might be a better option right?. NoScript also highlights certain elements and enabling those should help make the website work without compromising privacy.

IDK, Please let me know, you guys, which setup I should continue with, but before I proceed, I want to fully understand everything first.

How to Unbreak Websites?

See this:
On “Safer” mode (Nothing changed with NoScript) websites work fine:
Image
On “Safest” mode, ofc the sites would be broken but even after marking domains as temporarily trusted the website still doesn’t work:
Image

Even setting them to “Temporarily Restricted” doesn’t work:
Image
What is happening here? I do not understand the link between the privacy settings in Tor and NoScript.

___

Addons with NoScript

Using uBlock Origin (uBO) with NS

I am aware that it is not recommended to install filter-based extensions like uBO with NS Browser. However, Tails OS includes uBO by default in their Tor Browser also it's installed on the Mullvad Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser and the Mullvad Browser as I will be using NS?
If there is no risk, should I install uBO in the regular Tor browser(seems good to me in surface, ads will be blocked too)? If there is a risk, should I disable uBO in Tails Tor browser and the Mullvad Browser?
Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
Sigling
Posts: 5
Joined: Fri Jan 03, 2025 3:18 pm

Re: Doubts and Confusions

Post by Sigling »

Thank you for reposting it and for linking to this post viewtopic.php?t=26285
Could you respond to other inquiries as well please?
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
barbaz
Senior Member
Posts: 10981
Joined: Sat Aug 03, 2013 5:45 pm

Re: Doubts and Confusions

Post by barbaz »

Sigling wrote: Sat Jan 04, 2025 5:17 pm Could you respond to other inquiries as well please?
I don't know all answers to all your questions, but can additionally help with these two -
Sigling wrote: Sat Jan 04, 2025 5:13 pm I am aware that it is not recommended to install filter-based extensions like uBO with NS Browser.
False. Such setup *is* recommended here: NoScript for security / controlling active content, uBlock Origin for wider-spectrum blocking including privacy related blocking, blocklist-based malware site blocking. etc.

NoScript and uBlock Origin can interact, but the interaction is manageable. Make sure you understand the interaction potential, and how to isolate issues to their actual cause. From what I've seen, the "not recommended to install NoScript with uBlock Origin" type recommendations out there seem to stem from:
- confusion/conflation with the prudent "don't install multiple adblock type extensions simultaneously" recommendation;
- people not realising the interactions between NoScript and uBlock Origin and as a result asking the wrong questions in the wrong community.

As a start to understanding how NoScript and uBlock Origin interact, I have these rules in uBlock Origin Dashboard > My Rules -

Code: Select all

no-csp-reports: noscript-csp.invalid false
* https://noscript-csp.invalid/ csp_report allow
behind-the-scene https://[ff00::]/nscl/ xmlhttprequest allow
Not sure if these rules are all necessary with NoScript 12.x, but haven't had time to check.
Sigling wrote: Sat Jan 04, 2025 5:13 pm However, Tails OS includes uBO by default in their Tor Browser also it's installed on the Mullvad Browser. Why is this the case? Should I disable uBO in Tails’ Tor Browser and the Mullvad Browser as I will be using NS?
If there is no risk, should I install uBO in the regular Tor browser(seems good to me in surface, ads will be blocked too)? If there is a risk, should I disable uBO in Tails Tor browser and the Mullvad Browser?
The risk of using something like uBlock Origin in Tor browser is that websites can in theory fingerprint you based on what you block. Similarly, if you disable uBlock Origin where it is installed by default, you will become more fingerprintable (not only from blocking different set of resources, but also ACTUALLY more fingerprinted because more trackers will load - NoScript is not an anti-tracking tool).

If it's a concern to you, choose a setup where uBlock Origin is installed by default and do not customize what is blocked (regardless of what tool is doing the blocking).
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
Sigling
Posts: 5
Joined: Fri Jan 03, 2025 3:18 pm

Re: Doubts and Confusions

Post by Sigling »

Thank you for the answers to some questions. I have been playing around and trying to understand the rules you provided. I will be waiting for the reply to the other questions as well.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Post Reply