[tor-bugs] #29646 [Applications/Tor Browser]: NoScript XSS user choices are persisted

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 19 15:03:14 UTC 2019


#29646: NoScript XSS user choices are persisted
-------------------------------------------------+-------------------------
 Reporter:  atac                                 |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-disk-leak xss noscript tbb-      |  Actual Points:
  newnym ux-team                                 |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by antonela):

 The best approach is the one which balance XSS warnings and usability. I
 have concerns about how users interact with the XSS warning screen. So,
 having another option available there will not solve this problem for the
 masses nor allow users to pick the safest option for them.

 That said if Tor Browser can keep that option across sessions, it will
 improve the overall experience for recurrent users visiting a website
 recurrently. Let's say I'm a user visiting foo.com and I got an XSS
 warning, I'm blocking requests because I want to be safe and I continue
 browsing in a half-loaded website. Maybe I can deal with that brokerage
 but be safe enough. That is the current Tor Browser users experience so
 far.

 As a damage reduction, having the option persistent per-session (block or
 allow) seems the best balance between risk and usability. If a user wants
 a website loading correctly (or choose to allow, say by accident :), and
 we have concerns about leaking, that will happen just in the current
 session.

 You may argue that this is not strictly related to security, but on users
 end it is. Maybe, it fits on something to consider for our security
 settings, where we should holistically balance security and usability
 across levels.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29646#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list