[tor-bugs] #26847 [Applications/Tor Browser]: Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting (was: Tor Browser 8a, noscript pops up a full-browser-size window to warn me about x-site scripting)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 7 18:18:51 UTC 2018
#26847: Tor Browser 8.0, noscript pops up a full-browser-size window to warn me
about x-site scripting
-------------------------------------------------+-------------------------
Reporter: arma | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-8.0-issues, tbb-regression, | Actual Points:
noscript |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Old description:
> When I go to certain sites in the Tor Browser 8 alpha, I get a new window
> popping up, which is the same size as my current browser window, which
> looks like it comes from noscript. It says "NoScript XSS Warning" at the
> top, and the window title is moz-extension://4536b558-.... NoScript XSS
> Warning", and there's a bit of text towards the top that says
> {{{
>
> NoScript detected a potential Cross-Site Scripting attack
>
> from http://www.espn.com to https://8397396.fls.doubleclick.net.
>
> Suspicious data:
>
> (URL)
> https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616
> /mlb-bryce-harper-brings-house-epic-derby-
> comeback;u2=[s.products];u3=[c.promocode];u4=[payment
> method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?
> }}}
>
> and towards the bottom I have the options to block, always block, allow,
> always allow, and then an ok button.
>
> The example url in this case was
> http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-
> house-epic-derby-comeback
>
> (I've noticed the behavior happens pretty consistently with espn urls.)
>
> I'm not sure quite what behavior I would expect instead, but "making a
> new huge window that's mostly whitespace and that prevents me from doing
> anything on any tab until I've made the window go away" was not it. :)
New description:
When I go to certain sites in the Tor Browser 8.0, I get a new window
popping up, which is the same size as my current browser window, which
looks like it comes from noscript. It says "NoScript XSS Warning" at the
top, and the window title is moz-extension://4536b558-.... NoScript XSS
Warning", and there's a bit of text towards the top that says
{{{
NoScript detected a potential Cross-Site Scripting attack
from http://www.espn.com to https://8397396.fls.doubleclick.net.
Suspicious data:
(URL)
https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616
/mlb-bryce-harper-brings-house-epic-derby-
comeback;u2=[s.products];u3=[c.promocode];u4=[payment
method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?
}}}
and towards the bottom I have the options to block, always block, allow,
always allow, and then an ok button.
The example url in this case was
http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-
epic-derby-comeback
(I've noticed the behavior happens pretty consistently with espn urls.)
I'm not sure quite what behavior I would expect instead, but "making a new
huge window that's mostly whitespace and that prevents me from doing
anything on any tab until I've made the window go away" was not it. :)
--
Comment (by arma):
This just happened to me on Tor Browser 8.0, so I am updating the title /
description to indicate that it's not just an alpha thing.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26847#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list