Why does Tor Browser Bundle ship with JavaScript enabled?

  • Tor Browser Bundle ships with NoScript (which can disable JavaScript), but NoScript’s functionality is disabled. This means that by default in the Tor Browser Bundle, all JavaScript code is allowed to execute – including potentially adversarial code.

    What was the rationale behind this decision?

    JavaScript is disabled by default since version 3.5

    @user263485 That's largely untrue now.

  • As so often in anonymity, it boils down to a tradeoff between security and usability. JavaScript certainly doesn't have an excellent track record from a security point of view and disabling it will save you from a bunch of nasty attacks. But whether we like it or not, it's a crucial usability part of today's Internet. Disabling it in the Tor Browser Bundle would break an enormous amount of web sites. To make matters worse, a large fraction of Tor's users are no computer experts. They would likely be confused by all these broken web sites and end up not using Tor anymore.

    To spin the thought further, less usability means less users which means a smaller anonymity set and less user diversity. After a disabled JavaScript would have chased away the less technically savvy users, the network might end up being composed of geeks who don't mind having no JavaScript. There goes the user diversity and also some anonymity.

    The current tradeoff seems sane. While JavaScript is enabled and makes web sites look nice, the NoScript extension (while allowing JavaScript) and a set of other TorBrowser patches takes care of a number of other attacks.

    A very good answer! I'm curious about one thing - your answer implies that NoScript by virtue of being installed can prevent some attacks. Am I reading that correctly? I thought NoScript was a simple boolean deny on domain X, allow on domain Y kind of extension.

    You are reading that correctly, Samuel: NoScript does more than the name suggests! It is able to block other content such as Java and Flash and has XSS countermeasures, among other things. The web site gives a good overview: http://noscript.net/features

    Might be useful to disable by default. In light of the last events with Freedom Hosting.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM