Why disable JavaScript in Tor?

  • Why it is not advisable to use JavaScript with Tor? Yet with JavaScript, you cannot get the IP address of the user except through an external website. How could using JavaScript with Tor expose one's identity?

    Using Javascript functionality as intended is not the only danger. Javascript also provides an increased attack surface for security exploits. This is a very real risk, as CVE-2013-1690 showed the world a couple of years back.

  • user45139

    user45139 Correct answer

    6 years ago

    I do not know where you got that information but wherever you got it, the official documentation is more reliable:

    We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled.

    If you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.

    But unlike Firefox and Chrome, Tor browser have not implemented WebRTC that allows requests to STUN servers be made that will return the local and public IP addresses for the user.

    See the very related question : Why is my internal IP address (private) visible from the Internet : http://security.stackexchange.com/questions/94783/why-is-my-internal-ip-address-private-visible-from-the-internet

    @Jiby that question is not about Tor browser and this one is not interested in getting specifically the IP address. I just wrote that information additionally otherwise the answer to this question ends where the quotation ends.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM