I have solved many problems with javascript based websites by disabling the "apply these settings to whitelisted sites" and "cascade permissions to whitelisted sub-sites". That has worked for me in all situations
On 3 February 2016 at 10:23, < bm-2ctpsbetk5rpf8a9ymciudmax61kzvz...@bitmessage.ch> wrote: > I'm embarrassed I didn't notice the JavaScript explanation in the FAQ's. > Also thank you for the info on the ARS Technica points. > > I have noticed in looking at a few more secure email services that they > either have access without JavaScript enabled but don't have built in > encryption, or the reverse, encryption provided but access only with Java > Script enabled. If you are aware of a service with both attributes it > would be interesting to check it out. > > Thank you for your very clear explanation Roger, it was very helpful. > > > On Tue, Feb 02, 2016 at 05:44:00AM -0800, > > bm-2ctpsbetk5rpf8a9ymciudmax61kzvz...@bitmessage.ch wrote: > >> I am sorry to ask such a basic question but I am confused by > >> whether I should have the Tor browser set to; > >> a. Temporary allow this page > >> b. Revoke Temporary Permissions > >> c. allow scripts globally > > > > It defaults to 'c', because otherwise many users would find websites > > broken and not understand what's going on: > > https://www.torproject.org/docs/faq#TBBJavaScriptEnabled > > > >> Today I perhaps made the error of changing the setting to revoke > >> temporary > >> permissions, but after I did this an encrypted email website I just > >> began > >> to use stated that it would not allow access because JavaScript needed > >> to > >> be > >> enabled. > >> > >> After changing the setting to "Temporary allow this page" then I could > >> again access email in one encrypted email service. However now I can no > >> longer access another encrypted email service (an impressive one)which > >> has > >> been working perfectly for me for weeks. > >> > >> So please inform me which setting I should be using. (Or alternatively > >> I > >> could delete the Tor browser and just install it again to see the > >> initial > >> setting) > > > > It sounds like you've figured out how NoScript works. It is indeed a > > bit safer to leave JS disabled globally, and enable it site-by-site when > > you find that you need it. If you're comfortable doing it that way, go > > for it -- it will be a bit safer than leaving everything enabled. > > > > I say "a bit safer" because, while reducing surface area for complex > > things like JavaScript is good, there are many other parts of the browser > > that are complex too. This is an area with quite some controversy over > > the past years, since several attacks from the FBI have used JavaScript > > vulnerabilities, and "they could have used other attacks" and "but they > > *did* use this attack" are both valid points. (If you want to be one of > > the users who disables JavaScript entirely, and then ends up even > > angrier at Cloudflare, this is a legitimate choice too.) > > > >> Also, I thought it would be helpful to forward some important > >> information > >> I just encountered today. Please read the ARS Technica article at the > >> link below. I found this by way of a Reddit thread. > >> ... > >> > http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-tor-hidden-services/ > > > > Yes, this is a known thing. It's one of the reasons Micah wrote > > up the best practices list for onion service operators: > > > https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices > > > > --Roger > > > > -- > > tor-talk mailing list - tor-talk@lists.torproject.org > > To unsubscribe or change other settings go to > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > > > > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
