[piaste]

> The bug is simple enough: using JavaScript, you can identify the scrollbar width.

I thought it was accepted and strongly emphasized that running JavaScript in a Tor environment was insecure and could leak information in all sorts of ways, which is why Tor Browser came with NoScript enabled by default.

Is that no longer the case? Is there now an expectation that you should be able to safely run JS in Tor Browser without risk?

[ed25519FUUU]

Javascript is unfortunately a major part of the web. In terms of Tor's core goals, I think it's preventing the leaking of IP information and overcoming censorship. Preventing websites from identifying a Tor browser is probably a secondary goal.

A website operator can already get refreshed lists of Tor exit nodes and simply block them. Your ISP/government can already see that there's Tor traffic coming from your house, and probably "match" at least some activity with an exit node.

[flotzam]

https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScri...

[strbean]

I don't understand this bit:

> But there's a third issue: websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.

How would this work exactly? And if it did work, wouldn't it at the very worst only work on sites for which you had enabled JS? I.e. sites that you had already essentially conceded your anonymity on by choice?

I don't see this as a worthy argument for enabling JS by default and destroying users' anonymity without custom configuration.

[slashink]

You just let the javascript send a heartbeat ping. If you don't receive the ping but served the page you can determine that the user agent did not execute the javascript.

[cortesoft]

Sure, but the comment mentions that you would use the 'set of websites that are whitelisted' as an identifier... your method can only check the site you are currently on, it doesn't give you information on if other websites have been whitelisted or not.

[flotzam]

AFAIK NoScript whitelists don't respect first-party isolation (so a JS-enabled website can be included in a JS-disabled website), which makes it a relatively simple coordination problem between website A and B (possibly automated by a third-party tracker included in both A and B).

In any case, first-party isolation can be subverted: https://news.ycombinator.com/item?id=17947605

[cortesoft]

Yes, with coordination it is possible. I was thinking of the non-coordination issue.

[ColanR]

You are not able to safely run JS in Tor Browser, but JS is enabled by default.

[ainar-g]

Iirc, they have been allowing scripting on HTTPS sites by default for some time now.