>> "Can you trust [NoScript] without the code review? Is anyone going to audit it,
>> or continue assuming it's OK for anonymity?"
>
> Whom ever told you that is spreading false information
>
>The NoScript extension contains the source code. You just need to unzip it.
>The whole source code is publicly available in every each XPI.

You introduced the "Red Herring" fallacy. The original subject here is a lack of the security review, and not a lack of the published source code.

There is a big difference. One can download and look at the code all day long and still miss something like an allowance for a certain dynamic encrypted advertisement/backdoor frame. Or something like this: https://adblockplus.org/blog/attention-noscript-users
https://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community

A couple of years ago or so, one of the Tor developers replied in this blog that NoScript has not been audited due to lack of resources / low priority / whatever.

Unless already being done, a regular security audit of NoScript code is still needed.

Reply

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content