[tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 11 17:29:30 UTC 2019
#29733: Disable NoSript XSS protection for now due to bug 1532530
---------------------------------------------+-----------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status:
| needs_review
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: noscript, TorBrowserTeam201903R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+-----------------------------
Comment (by ma1):
For reference, the upstream Mozilla bug is
https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
This seems exceedingly drastic as a work-around.
What if I provide an option to just disable XSS injection checks on POST
parameters (which would prevent the requestBody listener from being
registered), and possibly another option to ask user confirmation for POST
requests from JavaScript-disabled sites to TRUSTED ones, in order to
mitigate the loss of protection?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list