iceweasel addon - NoScript
Originally created by Tails on #5286 (Redmine)
This is what’s said about NoScript in the Torbutton FAQ:
Torbutton currently mitigates all known anonymity issues with Javascript. However, if you are concerned about Javascript exploits against your browser or against websites you are logged in to, you may want to use NoScript. It provides the ability to allow Javascript only for particular websites and also provides mechanisms to force HTTPS urls for sites with insecure cookies.
This might be useful for more advanced users that want additional privacy. Given how widely used this addon is by said user group it seems likely that any incompatibilities with other addons we use should(’ve) be(en) identified and fixed quickly.
Quoting Mike Perry on bug #3007 on Tor Project’s Trac: "We provide NoScript mostly for the non-filter features it provides, such as click-to-play for media, webgl and plugins, XSS protection, remote font blockage, and so on. The ability to globally disable JS is also a bonus for the malware and exploit-laden corners of the web, but having JS disabled (or worse, filtered) by default doesn’t seem very intuitive for new Tor users."
Configuration
Since this plugin will confuse the uninitiated, and since Torbutton already blocks all known JavaScript issues, NoScript should be configured to allow all sites per default. It’s either up to the user to blacklist domains, or disable all sites per default and then whitelist the ones deemed trustworthy.
Tor Browser Bundle configuration
The Tor Browser Bundle, starting with its 1.0.0 version, ships the NoScript and BetterPrivacy extensions. As explained in details by Mike Perry, they tweaked NoScript’s configuration a lot; e.g. JavaScript is enabled by default, but they make use of other NoScript privacy features. See their NoScript configuration.
Also see hardening suggestions on bug #3461 on Tor Project’s Trac.
Our
feature/noscript
branch has this: NoScript + TBB configuration. Needs to be tested extensively before we release it, but it seems to work.
done in Tails 0.10.