Noscript Tor Browser

  1. Noscript Xss Warning Tor Browser
  2. Noscript Tor Browser Reviews

Tor is the system preferred by users who wish to browse the internet anonymously. You can either set Tor up individually on your computer or mobile device, or in conjunction with the Tor Browser.

Tor Browser is careful to maintain your privacy by protecting your IP and fingerprint, which are used to differentiate you from other users. For instance, Tor Browser warns you when you try to maximize the browser window, since you can be tracked based on the viewport size and screen resolution.

Today, I've update my TOR browser and all the problems have been solved. – Mir Saman May 9 '19 at 12:12 Updating did not fix it for me, but after completely uninstalling and reinstalling a couple times, I do finally have add-ons. – duggulous May 10 '19 at 3:55. May 04, 2019 NoScript Temporarily Disabled in Tor Browser by gk May 04, 2019 Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users. Winner of the 'PC World World Class Award' and bundled with the Tor Browser, NoScript gives you with the best available protection on the web. It allows JavaScript, Flash, Java and other executable content to run only from trusted domains of your choice, e.g. Your home-banking site, mitigating remotely exploitable vulnerabilities including. Starting from Friday May 3, a problem in Firefox and Tor Browser disabled all add-ons, especially NoScript which is used to: Strengthen Tor Browser against some JavaScript attacks that can lead to compromised accounts and credentials on websites. Enable or disable JavaScript on some websites using the NoScript interface, if you use it.

Tor Browser might pay extra attention to user privacy, but even Tor developers make mistakes. A 0-Day vulnerability was found in the NoScript extension, which made it possible to expose the identities of Tor users. This article explains how this script blocking extension works, and how it exposes the private information of Tor Browser users.

Script Blocking Feature

One security feature of Tor Browser is that it blocks all scripts from loading unless you tell it to do otherwise. Script loading is blocked in all websites, besides the ones you whitelist, using the NoScript extension. This prevents your IP from being exposed by JavaScript code running on the page, such as a WebRTC connection request. All potentially vulnerable content, such as ActiveX controllers and flash objects, will also be blocked.

The activation of NoScript extensions is related to the Content-Type of the page. This is because if the NoScript extension comes across a context that can run scripts, such as a page that has the Content-Type set to text/html, the extension immediately prevents the Javascript code from running.


Running Scripts Even With NoScript Enabled

However, an alarming tweet by Zerodium on September 10 stated that a 0-Day vulnerability discovered in the NoScript extension might help expose the identities of Tor users.

Noscript Tor Browser

Noscript Xss Warning Tor Browser

Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to 'text/html;/json' and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.

— Zerodium (@Zerodium) September 10, 2018Browser

Let’s take a brief look at the details of the vulnerability.

Details of the 0-Day Vulnerability in the NoScript Extension

The NoScript Safest extension blocks all JavaScript code in Tor Browser versions 7.x. However, it can be bypassed with a simple trick in the HTTP response, allowing the JavaScript files to run. The attack works when the attacker adds the following HTTP header in the response:

It seems like the code responsible for blocking scripts from loading actually parses the Content-Type header incorrectly. When the code encounters the /json string at the end of the header, it believes that the context can't execute scripts anyway. Therefore it does not see the need to disable the script engine on that page.

Conclusion

NoScript Classic fixed this vulnerability in the 5.1.8.7 update. All versions of the Tor Browser from version 8.0 onwards included the updated version of the NoScript extension. Therefore, we recommend that Tor Browser users update their browsers immediately.

For further information, consult the Python Proof of Concept Code that exploits this issue, provided by the security researcher 'x0rz'.

NoScript is Free Software (source code): if you like it, you can support its progress :)

Stable AMO Version, see changelog for details.

Supported browsers: Firefox (Desktop and Mobile on Android), Tor Browser (where it is built-in), Chromium/Chrome.
Other browsers based on Gecko versions >= 59 and on latest Chromium might work, but are not tested.

Direct download

You can get latest stable version here, too, using thisdirect download link for NoScript 11.2.7
To install, just drag and drop it onto your address bar.

You can still download NoScript 'Classic' (5.1.9) (SHA256)for Seamonkey, Palemoon, Waterfox Classic and possibly other 'vintage' (pre-Gecko 57) Firefox forks here:we'll do our best to provide security fixes as long as supporting browser still guarantee their own security updates.

Notice: you may need to open about:config and set your xpinstall.signatures.requiredpreference to false in order to install NoScript 5.x, sinceMozilla doesn't support signatures for legacy add-ons anymore.If you're using a non ESR Firefox, you may also need this hack.

Users of Firefox 58 and below are urged to upgrade their very unsafe browser.For those few who can't,

  • latest NoScript version compatible with Gecko 57 - Gecko 58 is 10.1.7.3;
  • latest NoScript version compatible with Gecko 46 - Gecko 56 is 5.1.9(SHA256);
  • latest NoScript version compatible with Gecko 13 - Gecko 45 is 2.9.0.14(SHA256);
  • latest NoScript version compatible with Gecko 1.9 - Gecko 12 is 2.9.0.1rc1(SHA256);
  • latest NoScript version compatible with Gecko < 1.9 is 1.10(SHA256).
Recommended: protect your Internet traffic, too, with Military Grade Encryption.

Development version

If you're brave enough and you need a specific feature or fix not released yet, or you simplywant to provide feedback before official release, you may want try this
'Quantum' NoScript 11.2.7rc1 development build

Starting with NoScript 10.1.8.3, NoScript's public source code repository is hosted on Github.

Recent development history:

Noscript Tor Browser Reviews


Feedback

If you find something wrong about NoScript, read theFAQ pageand/orlet me know:I'll try to fix it as soon as I can.

You can also discuss about NoScript on thisForum.

Have your safest browsing experience!