Erik Moeller:
Dear TBB developers,
I wanted to make sure you've seen this issue regarding uploads and NoScript's "Sanitize cross-site suspicious requests" option:
https://bugzilla.mozilla.org/show_bug.cgi?id=1532530 https://github.com/hackademix/noscript/issues/64 https://github.com/freedomofpress/securedrop/issues/4078 https://github.com/micahflee/onionshare/issues/899
As far as we've been able to tell, this option, which is enabled by default and intended to guard against XSS attacks, is causing large uploads in non-JS upload forms to break intermittently. This may ultimately be due to a bug in Firefox itself (the first link).
The only reason the SecureDrop and OnionShare issues are closed is that we've implemented ugly workaround instructions for now, and NoScript considers it an upstream issue in Firefox.
Since this impacts Tor browser users much more than Firefox users, perhaps some folks on this list may be able to help bring this to a resolution. In any case, I wanted to flag it to this group given the impact his issue is having.
Thanks for doing so. Would it be helpful if we just disabled the XSS protection in the coming release (it causes other issues like #29647 and we have a bug treating "allow/deny always" cases (#29646) properly, so the motivation to do so is kind of independent of your bug)?
Georg