InformAction Forums

NoScript

Torbutton currently mitigates all known anonymity issues with Javascript. While it may be tempting to get better security by disabling Javascript for certain sites, you are far better off with an all-or-nothing approach. NoScript is exceedingly complicated, and has many subtleties that can surprise even advanced users. For example, addons.mozilla.org verifies extension integrity via Javascript over https, but downloads them in the clear. Not adding it to your whitelist effectively means you are pulling down unverified extensions. Worse still, using NoScript can actually disable protections that Torbutton itself provides via Javascript, yet still allow malicious exit nodes to compromise your anonymity via the default whitelist (which they can spoof to inject any script they want)

Mike Perry wrote: Well the problem is the "partially allowed" cases, where you disable
scripts for say the domain of the page url, but allow scripts for
whitelisted domains that source via link src and script src tags. In
that case, script could run in the page without being hooked.

Giorgio Maone wrote: Nope, if the page is not whitelisted, its scripting inclusions are not
processed/executed anyway.

Mike Perry wrote:A similar case is possible for nested i/frames, but I think those
should be OK, because torbutton injects for each i/frame separately.

Giorgio Maone wrote: If your code is reliable, there should be no problem there either in fact.
So it seems that your FAQ was bashing NoScript for (almost) nothing.
That's whitelist spoofing aside, but that's addressed by the "HTTPS
filtered whitelist on proxy connections" feature now, which is the only
thing that deserves to be kept in your FAQ I think

Mike Perry wrote: Heh, yeah, as soon as I release 1.2.1 I will bump NoScript to the
recommended section with a proviso that it can be used by advanced
users safely in combination with Torbutton.