Backstory:
I became suspicious about the path NoScript is taking when devs decided that users are not allowed to block JS on addons.mozilla.org anymore.
I did not care much because I'm using Third-Party Request Blocker which not only lets you block JS but also incorporates the functionality of the great but sadly abandoned RequestPolicy addon, as well as some neat options like automatic redirect to archive.org in case the user encounters a CloudFlare-encumbered website.
However, I just noticed that Tor Browser doesn't allow you to disable/remove NoScript anymore.
Being a skilled
conspiracy expert, this strongly rustled my jimmies.
Why the fuck are we forced to give a monopoly position to this useless piece of shit addon?
Well,
maybe because addons are a
great way to inject JavaScript and potentially use one of a gazillion JS engine vulnerabilities to expose the user's clearnet IP.
https://www.invicti.com/blog/web-security/noscript-vulnerability-tor-browser/Let's not forget that TBB devs once before joined forces with the FBI and changed NoScript settings to allow all scripts by default so thousands of people using legit non-pedo services like TorMail could get hacked and identified using a JS exploit:
https://www.wired.com/2013/09/freedom-hosting-fbi/So, what do?
Easy-peasy, I'll just find the extension and remove the file, right?
Wrong, as Tor Browser automatically reinstalls NoScript on startup. It seems (((someone))) has a strong interest to keep this addon around.
<How to actually remove NoScript:Overwrite the file and remove write permissions:
cd tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/extensions
grep -R -i noscript
grep: {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi: binary file matches
echo -n '' > "{73a..."
chmod ugo-rw "{73a..."…and hope they don't change permissions back at some point -.-
<Please note that shitty NoScript is still better than shitty JavaScript, so make sure you continue to block scripts.