[tbb-bugs] #29646 [Applications/Tor Browser]: NoScript XSS user choices are persisted

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 6 08:12:59 UTC 2019


#29646: NoScript XSS user choices are persisted
-------------------------------------------------+-------------------------
 Reporter:  atac                                 |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-disk-leak xss noscriptm tbb-     |  Actual Points:
  newnym                                         |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * keywords:  tbb-disk-leak xss noscript => tbb-disk-leak xss noscriptm tbb-
     newnym


Comment:

 One could actually argue that it's exactly behaving as expected: You said
 *always*, now you get always (while just simply allowing/blocking would be
 session-wide (Or maybe it's bound to the domain? I have not checked)).

 That persists over New Identity, which is definitely a bug. But I am not
 sure what the best solution for the disk persistence would be. Just not
 offering those two options on the dialog? Or maybe we should just disable
 NoScript's XSS protections altogether given that it causes bugs like
 #29647 and #22362?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29646#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list