[tbb-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 12 19:31:19 UTC 2019

#30115: NoScript's XSS popup breaks circuit display in some cases
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-torbutton, tbb-circuit-display,  |  Actual Points:
  TorBrowserTeam201904                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by acat):

 patch: https://github.com/acatarineu/torbutton/commit/30115

 The problem seems to be common to #27749 and #25145, these should also be
 fixed with the patch. Currently we keep a mapping of
 gBrowser.selectedBrowser -> socks credentials for the circuit display,
 populated when there is a request. This fails for cases when the browser
 "moves" to a different location but there is no request, which I think is
 the case here and in the other bugs above. In this case, upon successful
 login there are several HTTP redirects, one of which triggers the XSS
 popup and is blocked.

 The suggested fix keeps a mapping of domain -> socks credentials instead.
 I have seen #16936, which I think aims for a different approach, but not
 sure why.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30115#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list