factually

What are NoScript's default settings in Tor Browser 12 2024?

Checked on January 26, 2026
Disclaimer: Factually can make mistakes. Please verify important information or breaking news. Learn more.
Super User
Stack Exchange
Tor Project
Whonix
Searched for:
"Tor Browser 12 NoScript default settings 2024"
Found 10 sources

Executive summary (2–3 sentences)

Tor Browser 12 in 2024 ships with the NoScript extension installed and active but configured so that script blocking is not turned on by default — JavaScript and most common web content types are allowed to run unless the user raises the browser’s Security Level or changes NoScript’s settings (Tor Project documentation and community reporting) [1] [2]. Tor’s design choice favors usability and a uniform fingerprint over maximizing out‑of‑the‑box script blocking; per‑site exceptions are possible but are intentionally non‑persistent by default to reduce fingerprinting risks [1] [3].

1. NoScript is present and active, but “blocking” is off by default

Every official Tor Browser release around the 12.x timeframe includes NoScript as a bundled extension that is active in the browser build, yet Tor’s maintainers configure NoScript to allow scripts by default so that the majority of websites continue to function without manual intervention (Tor documentation explicitly says NoScript is included and that the project configures it to allow JavaScript by default) [1] [2].

2. “Allow JavaScript by default” — why usability beats maximal default hardening

The Tor Project intentionally enables JavaScript by default in the stock Tor Browser because disabling it breaks many sites and would push users to alter settings in ways that increase fingerprinting variability; the project therefore prioritizes a sensible default that preserves functionality while offering a Security Level slider and NoScript controls for users who need tighter protections [1] [2].

3. Security slider and “Safest/Safer” modes change NoScript behavior

Tor Browser’s built‑in Security Level controls interact with NoScript: choosing “Safer” or “Safest” alters script execution rules (the “Safer” level disables JavaScript on non‑HTTPS sites and “Safest” disables it on all sites), and earlier release notes indicate that the highest setting disables JavaScript entirely for the browser session [1] [4] [5].

4. Per‑site permissions exist but are deliberately ephemeral by default

Users can grant or revoke per‑site script permissions with the NoScript UI, but Tor’s default configuration intentionally prevents per‑site customizations from persisting across sessions unless users explicitly enable persistence; this is done to avoid building a recognizable pattern of site allowances that would act like a persistent identifier (Tor community reporting and Whonix/Tor commentary note a preference for non‑persistence and a disabled persistence preference by default) [3] [6].

5. The underlying default “allowed content” list — what NoScript usually permits

Community troubleshooting and Stack Exchange posts from Tor users report that, in some NoScript versions bundled with Tor Browser, the default internal allowlist includes a broad set of content categories (script, object, media, frame, font, webgl, fetch and others) unless NoScript’s defaults are overridden; these observations reflect how NoScript’s internal toggles are typically set in Tor’s packaged builds, though exact labels and groupings can vary by NoScript version [6].

6. Tension between anonymity goals and practical web compatibility

The Tor Project’s explicit rationale — documented in the Tor Browser manual and reiterated in forum discourse — is that forcing strict script blocking by default would push users into individualized configurations or alternative browsers, both of which can worsen overall anonymity by increasing fingerprint entropy; critics argue that enabling scripts increases exposure to remote exploitability, while Tor developers answer that sandboxing, network‑level mitigations, and the security slider are the correct compromise [1] [2] [4].

7. Practical implications for a user who wants strict defaults

Anyone demanding stricter default script blocking must either manually change the Security Level to “Safer/Safest,” flip NoScript’s options to override the Tor preset, or enable persistence for per‑site rules — each action carries tradeoffs between anonymity, usability, and the risk of making the browser’s behavior more unique (forum guidance and Stack Exchange posts describe the override paths and the privacy tradeoffs) [6] [3] [5].

Want to dive deeper?
How does Tor Browser’s Security Slider interact with NoScript across recent Tor Browser versions?
What are the fingerprinting risks of enabling per‑site NoScript permissions in Tor Browser?
How has the Tor Project justified JavaScript being enabled by default in historical release notes?