Why You Should Disable JavaScript on Tor

JavaScript is a major vector for exploits nowadays. It widens your attack surface significantly.

Consider that enabling JavaScript in your web browser is equivalent to automatically running whatever program a website sends you when you connect to it, and automatically running whatever programs and third-party resources send to you as well.

Though we don’t usually think of them this way, JavaScript scripts are programs. They are Turing-complete. In theory, they are also sandboxed. However, sandboxes are not perfect, and sometimes a vulnerability is discovered that allows an attacker to break out of a sandbox.

Modern JavaScript browser APIs are so complex that they can introduce vulnerabilities without anyone even realizing it. For example, the Spectre vulnerability that was discovered in almost every CPU recently was initially exploitable through JavaScript because browsers provided a high-precision timer API. Simply by allowing the running JavaScript to know the time accurately, an attack vector was opened that allowed any website to read anything open in your browser (including passwords).

You can disable JavaScript in Tor Browser by changing the security settings. On the Safer level, JavaScript is disabled on all non-HTTPS sites. This is important because non-HTTPS sites are not encrypted, and they can therefore be modified in transit. Anyone in between you and the server (including the Tor exit node) could modify and inject JavaScript on the page to do whatever they want.

On the Safest level, all JavaScript is disabled on all websites. This is definitely, as the name implies, the safest option. If you come across a website that breaks with JavaScript disabled, and you decide that you really need to use it (think about this carefully), you can always use NoScript to temporarily allow scripts on that website or tab only.

One thought on “Why You Should Disable JavaScript on Tor

Leave a Reply

Your email address will not be published. Required fields are marked *