How does Tor Browser manage JavaScript security by default?

1. Why Tor ships with JavaScript turned on: a pragmatic usability choice

The Tor Project’s stated position is pragmatic: most websites rely on JavaScript for basic functionality, and disabling it by default would make Tor unusable for typical users and therefore discourage adoption; for that reason NoScript is configured to allow JavaScript by default in Tor Browser’s Standard mode ^{[1] [2] [7]}. The project explicitly says it balances security and usability and chooses to “leave JavaScript enabled by default” so the majority of users do not abandon Tor because pages break ^[1].

2. How Tor technically manages JavaScript by default

Tor Browser bundles NoScript and other hardening measures but configures NoScript to permit scripts in the Standard security profile; the Security Slider exposes three levels (Standard, Safer, Safest) that change JavaScript behavior — Safer disables JS on non-HTTPS sites, Safest disables it more broadly — and users can alter these via the shield icon and settings ^{[2] [3]}. Documentation reiterates that Standard “allows all websites to run scripts,” while the slider is the user-facing control to restrict them ^{[2] [3]}.

3. The security tradeoffs: increased attack surface vs. fingerprint risk

Enabling JavaScript increases the browser’s attack surface and has historically enabled deanonymization and exploitation (the Freedom Hosting FBI operation and other CVE-driven exploits are cited in community discussion), while disabling JS can reduce fingerprinting but break site functionality ^{[4] [5] [8]}. Tor’s developers accept this risk for the wider user base; community sources argue advanced users might prefer disabling JS but warn that doing so changes fingerprinting characteristics and can itself make a user more unique ^{[5] [8]}.

4. How to harden JavaScript handling when your threat model requires it

The Tor documentation and support pages recommend using the Security Slider to increase protections: Safer disables JavaScript on HTTP sites and Safest disables it for all sites, and the shield menu is the supported method to change behavior ^{[2] [3]}. Community posts advise caution: altering defaults or adding extensions can create a distinctive fingerprint or break Tor Browser’s guarantees, so the Tor Project discourages installing extra add-ons ^{[2] [9]}.

5. Practical caveat: slider changes and the need to restart

Independent reporting flagged a practical flaw: security-level changes may not take full effect until a restart, meaning someone who flips from Standard to Safer mid-session could remain exposed to JS capabilities until they restart Tor Browser ^[6]. Privacy Guides demonstrated that some JS technologies intended to be disabled by Safer remained accessible until restart, and recommended always restarting after changing the slider ^[6].

6. Competing perspectives and implicit agendas

The Tor Project emphasizes broad adoption and user retention as its rationale for enabling JS by default — an implicit agenda of prioritizing usable anonymity for many users over maximal hardening ^{[1] [2]}. Security-savvy users, and some forum and Stack Exchange contributors, argue the project should be more conservative because nation-state actors can weaponize JS and zero-days; others counter that a broken user experience would reduce overall anonymity if people stop using Tor ^{[5] [4] [9]}.

7. What sources do and don’t say — limits of available reporting

Available sources uniformly describe the default configuration (NoScript enabled but allowing JS; Standard = scripts allowed; slider to increase restrictions) and note the usability/security tradeoff ^{[1] [2] [3]}. Available sources do not mention specific current CVEs beyond historical references in community posts, and do not provide a definitive timeline of when every behavior changed; for operational details (e.g., exact NoScript configuration flags) consult Tor’s up-to-date docs or source code, which are not included in the provided set (not found in current reporting).

Bottom line: Tor Browser’s default is to permit JavaScript to preserve usability while offering user-accessible ways to disable it (Security Slider, NoScript). That design accepts increased attack surface as a tradeoff; users with high-risk threat models should set Safer/Safest, restart after changes, and be aware that customizing behavior can itself alter fingerprinting ^{[1] [2] [6]}.