[tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 12 19:31:19 UTC 2019
#30115: NoScript's XSS popup breaks circuit display in some cases
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-torbutton, tbb-circuit-display, | Actual Points:
TorBrowserTeam201904 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by acat):
patch: https://github.com/acatarineu/torbutton/commit/30115
The problem seems to be common to #27749 and #25145, these should also be
fixed with the patch. Currently we keep a mapping of
gBrowser.selectedBrowser -> socks credentials for the circuit display,
populated when there is a request. This fails for cases when the browser
"moves" to a different location but there is no request, which I think is
the case here and in the other bugs above. In this case, upon successful
login there are several HTTP redirects, one of which triggers the XSS
popup and is blocked.
The suggested fix keeps a mapping of domain -> socks credentials instead.
I have seen #16936, which I think aims for a different approach, but not
sure why.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30115#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list