1. 17

  2. 2

    Although I think that disabling javascript completely in Tor would be overkill, there is probably a middle ground that can be struck between full (Firefox-like) javascript features and completely turning it off – maybe a restricted mode of some sort?

    This would allow tor to have some protection against javascript 0-days while still keeping Tor useful, since a large majority of the web relies on js.

    1. 3

      Tor Browser has a “Security slider” feature which defaults to “Low” which blocks some things (like canvass) to provide fingerprinting defenses, at Medium it disables the JS JIT, blocks web fonts, makes HTML5 video click-to-load and blocks javascript on non-HTTPS sites, and at High it disables javascript everywhere.

      Although that people doing something very illegal which usually results in long jail sentences aren’t setting it to High makes me wonder how useful this is if people clearly don’t understand the threats.

      And it could probably block more things at Low; do SVG animations really need to be on by default? But then that same question could be applied to Firefox itself.

    2. 1

      How much rust is in firefox now? How long until we can feel safe using JS?

      1. 2

        Rust isn’t magically going to make JS safe. ;)