Default torbutton security slider to "Medium-High"
Originally created by @bdwong on #11417 (Redmine)
In #10481 (closed), a user requested that JS be off by default. The response was that enabling it was considered a middle ground between security and usability.
But with th existence of Tor exit-nodes which inject malicious JS into clear-text HTTP sessions, this is still a serious concern on non-HTTPS.
Torbutton’s “Medium-High” setting includes among other things disabling JS on non-HTTPS connections and disabling JS optimizations that could be attack vectors. This seems like an even better compromise towards security than making the default be “Low”. Current sites tend to use HTTPS-encryption and would not be affected by this setting.
Persisting the setting is a separate feature request in #9700, this request is related but not the same, this request is to change the non-persisted default.
Making this change should include some testing of popular websites. My testing shows that it does work very well today.
Related issues
- Related to #9700
- Has duplicate #11883 (closed)