[tbb-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Mar 21 08:16:44 UTC 2019 

#29733: Disable NoSript XSS protection for now due to bug 1532530
--------------------------------------------+--------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  defect                          |         Status:  closed
 Priority:  Very High                       |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:  fixed
 Keywords:  noscript, TorBrowserTeam201903  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+--------------------------
Changes (by gk):

 * status:  needs_information => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:19 ma1]:
 > Replying to [comment:18 ma1]:
 > > Replying to [comment:17 gk]:
 > > > ma1: I tested 8.0.7 with 10.2.2 and realized that I am now seeing
 for any search request typed in the URL bar a scary XSS warning popup.
 That's very unfortunate as there is definitely no XSS involved if I type
 my search queries into the URL bar. Could you please fix that?
 > >
 > > Fixed in
 [https://github.com/hackademix/noscript/releases/tag/10.2.3rc2 NoScript
 10.2.3rc2].
 >
 > [https://github.com/hackademix/noscript/releases/tag/10.2.3 Now also in
 10.2.3], in case you've got some "ship stable releases only" policy.

 Yes, thanks for that. I bumped the NoScript version to the latest stable
 one in commits fe57b321785474679b6adadcf769eb08dde28f76 and
 37aa44ee2954bd99e9a53cf00cb4b474b86a07fb on `master` and in commit
 378de243109024a80e841bfa47efcca5d7a5c18f on `maint-8.0` in our `tor-
 browser-build` repo. It's a bit unfortunate that there are now many more
 false positive popups disrupting the user experience. So we'll need to
 monitor this and re-think enabling XSS protections if we come to the
 conclusion that enabling them outweigh the usability penalties. (#29647
 and above all #26847 come to mind here)

 Anyway, thanks Giorgio for the quick help!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list