Noscript with Security Slider at Safest permits around 30 sites

Saw a couple others report this in qubes-users, but wasn’t able to recreate at the time. However, today I am seeing the same thing. Have /etc/torbrowser.d/50_user.conf with tb_security_slider_safest=true in whonix-ws-15. DispVMs start correctly without a prompt and the slider showing Safest in toolbar and Firefox advanced security settings. However, looking at Noscript Settings/Per Site Permissions I see around 30 sites listed as trusted like googlevideo.com, netflix.com, outlook.com, etc. If I am reading the APT logs right, packages I had upgraded in whonix-ws-15 since my first test (that showed 0 sites) are:

xenstore-utils 2001:4.8.5-10+deb10u1
xen-utils-common 2001:4.8.5-10+deb10u1
tb-updater 3.12.8-1
libxenstore3.0 2001:4.8.5-10+deb10u1
libxen-4.8 2001:4.8.5-10+deb10u1
thunderbird 1:60.9.0-1~deb10u1

But I don’t know if that has anything to do with it. I am pretty sure Noscript is still the same version as when I was testing- 11.0.3. Changing the security slider to something else, then back to Safest results in 0 sites listed.


Whonix source code doesn’t write literally googlevideo, netflix, outlook, etc. anywhere. It does not do anything to give special treatment to any websites.

By policy, for simplicity, clean implementation and whatnot, the “inside” of Tor Browser isn’t modified by Whonix. This is elaborated here:


Therefore this is most likely an issue caused by Tor Browser.

Can you find these textual strings (such as netflix) in Tor Browser, noscript or noscript fork by Tor Browser (if that exists) source code or binary?

Could you please try to reproduce this issue with Tor Browser in Debian?

You might have to copy over the security slider maximum settings file.

Tor Browser upstream issue. Bug report written just now.

wipe all mentions of netflix, paypal, youtube, … from noscript in Tor Browser

From noscript FAQ:

Q: What websites are in the default whitelist and why?

Q: What is a trusted site?

1 Like

noscript [feature request] environment variable to clear default whitelist

Thank you for submitting that Noscript feature request. I know it’s not necessarily Whonix code where that list is coming from, but didn’t get how it was showing 0 sites a few days ago and now all 30, or why changing the slider to something else and back again also clears it.

1 Like

I wonder if it’s a timing issue- if Noscript finishes initializing before the slider gets changed by some other code it works right, but the other way around does not? I’ll dig in the Noscript code too, maybe there is some way we can pare down that list.

1 Like

Still not sure why the timing or plugin load order would have changed, but I figured out a workaround. Noscript stores its settings in .tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/storage-sync.sqlite. Like you found, it loads these with default sites on first start. I dumped the sqlite DB at this point (attached as “defaultsqllite.txt”). I then toggled the slider to Safer and back to Safest to erase the list, and dumped the DB again (“cleansqlite.txt”). I then copied the clean storage-sync.sqlite to my whonix-ws-15 template and put it in /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default. Starting DispVMs now has an empty list, because Noscript doesn’t think it is doing a first start.

To automate this, we could dump a clean storage-sync.sqlite blob into master, but that would be irritating to maintain and audit. Would it be too much bloat to create that .sqlite on the fly at startup, using the statements from the “clean” file minus the https-everywhere-eff lines? That plugin should be able to initialize itself. The remaining statements may need occasional updates for new versions of Firefox or Noscript, but their internal upgrade logic should be able to interpret old data until the version difference gets too large.

Looks like it will only let me upload pictures here, not .txt. Should we take it to an issue?

Here are the relevant “default” lines anyways:

INSERT INTO collection_data VALUES('default/{73a6fe31-595d-460b-a920-fcc0f8843232}','key-policy','{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["frame","fetch","other"],"temp":false},"TRUSTED":{"capabilities":["script","object","media","frame","font","webgl","fetch","other"],"temp":false},"UNTRUSTED":{"capabilities":[],"temp":false},"sites":{"trusted":["§:addons.mozilla.org","§:afx.ms","§:ajax.aspnetcdn.com","§:ajax.googleapis.com","§:bootstrapcdn.com","§:code.jquery.com","§:firstdata.com","§:firstdata.lv","§:gfx.ms","§:google.com","§:googlevideo.com","§:gstatic.com","§:hotmail.com","§:live.com","§:live.net","§:maps.googleapis.com","§:mozilla.net","§:netflix.com","§:nflxext.com","§:nflximg.com","§:nflxvideo.net","§:noscript.net","§:outlook.com","§:passport.com","§:passport.net","§:passportimages.com","§:paypal.com","§:paypalobjects.com","§:securecode.com","§:securesuite.net","§:sfx.ms","§:tinymce.cachefly.net","§:wlxrs.com","§:yahoo.com","§:yahooapis.com","§:yimg.com","§:youtube.com","§:ytimg.com"],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}');

And “clean”:

INSERT INTO collection_data VALUES('default/{73a6fe31-595d-460b-a920-fcc0f8843232}','key-sync','{"id":"key-sync","key":"sync","data":{"global":false,"xss":true,"cascadeRestrictions":true,"overrideTorBrowserPolicy":false,"clearclick":true,"storage":"sync"},"_status":"created"}');
INSERT INTO collection_data VALUES('default/{73a6fe31-595d-460b-a920-fcc0f8843232}','key-policy','{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["frame","other"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame"],"temp":false},"sites":{"trusted":[],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}');
1 Like

Too much inside browser modification. At least for now.

First of all, we need to get to the root of the issue.

Need to reproduce this on Debian and then reply to https://trac.torproject.org/projects/tor/ticket/31798#comment:2

Meanwhile it would be helpful to understand why those issues only happen in Whonix so far and get some steps to reproduce.

The reason is we can’t pile up more and more workarounds without even reporting the root causes to upstream.

1 Like

Having a more durable way to ask Noscript to first start cleanly would be nice.

I’m trying to reproduce in Debian 10. How did you bypass the connection wizard that comes up from torbrowser-launcher? I thought creating a torrc in the right place would do it.

1 Like




Some progress with reproduction on Debian was made:


1 Like

Fixed in git.

Well, not really fixed since problematic code https://trac.torproject.org/projects/tor/ticket/31798 still exists in noscript and Tor Browser but put a band-aid on top so this race condition is no longer happening.

Now in Whonix developers repository. Will test more and migrate to other repositories soonish.

We don’t really understand the race condition yet either.

Somehow this isn’t an issue for SecBrowser even with local browser homepage.

Some combination of environment variables might be causing this.

Might be because I was testing with alpha version 9.0a6. So this might fix itself over time.

so this race condition is no longer happening



I might be missing something in the reproduction steps, but shouldn’t there be something in there about setting the security slider to safest?

1 Like

Not forgotten. It has nothing to do with it.

Well, maybe there is another bug, an additional race condition where Tor Browser starts without noscript whitelist and then moving the security slider causes enabling the noscript security slider whitelist.

Thanks, I think I get it now. Had the impression that default whitelist was supposed to be there if Tor Browser was started with the slider on Standard.

I submitted https://github.com/hackademix/noscript/issues/102 which rephrased the Noscript request a bit.

1 Like

Problem is unfortunately not fixed in the DispVM context if NoScript updates are available. To test:

  1. Launch Tor Browser in DispVM.
  2. Set security slider to safest with Whonix tool prompt.
  3. Update add-ons that are available.
  4. Check NoScript preferences and note that 30+ sites are set in the NoScript whitelist following update, despite security slider set to ‘Safest’

Only way to fix this is to play with the slider again after add-on updates i.e. set to Standard, and then set it back to Safest -> whitelisted sites are gone.

1 Like

It’s “fixed” in the alpha version of Tor Browser 9.5a2. Doesn’t happen there anymore. Probably since the race condition doesn’t happen there anymore.

Choosing yes or no there may not have any influence.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]