[tbb-dev] Firefox/NoScript bug with major downstream effects

Georg Koppen gk at torproject.org
Thu Mar 7 07:16:00 UTC 2019

Erik Moeller:
> Dear TBB developers,
> I wanted to make sure you've seen this issue regarding uploads and
> NoScript's "Sanitize cross-site suspicious requests" option:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
> https://github.com/hackademix/noscript/issues/64
> https://github.com/freedomofpress/securedrop/issues/4078
> https://github.com/micahflee/onionshare/issues/899
> As far as we've been able to tell, this option, which is enabled by
> default and intended to guard against XSS attacks, is causing large
> uploads in non-JS upload forms to break intermittently. This may
> ultimately be due to a bug in Firefox itself (the first link).
> The only reason the SecureDrop and OnionShare issues are closed is that
> we've implemented ugly workaround instructions for now, and NoScript
> considers it an upstream issue in Firefox.
> Since this impacts Tor browser users much more than Firefox users,
> perhaps some folks on this list may be able to help bring this to a
> resolution. In any case, I wanted to flag it to this group given the
> impact his issue is having.

Thanks for doing so. Would it be helpful if we just disabled the XSS
protection in the coming release (it causes other issues like #29647 and
we have a bug treating "allow/deny always" cases (#29646) properly, so
the motivation to do so is kind of independent of your bug)?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20190307/f593aeaf/attachment.sig>

More information about the tbb-dev mailing list