On Tue, 23 Oct 2018 17:05:09 -0400 Steve Kinney <admin@pilobilus.net> wrote:
In every instance where security vs. end user arises convenience arises, TOR chooses convenience.
speaking of which, I just found another new 'feature' in the way their browser deals with javascript. If you visit foo.com and allow JS to run for that domain, it turns out that the browser actually runs ANY JS coming from 'third parties'. So if foo.com links to say cloudflare malware then cloudflare scripts are run as well. noscript has a setting in preferences/advanced/trusted to 'cascade' permissions and the default is off. So if you whitelist foo.com only scripts from foo.com run. Looks like the tor assholes changed it to on, and now when you visit foo.com you get to run any '3rd party' tracking garbage foo.com might use.