[tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Mar 14 01:37:32 UTC 2019
#29733: Disable NoSript XSS protection for now due to bug 1532530
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: noscript, TorBrowserTeam201903 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------------+--------------------------
Comment (by ma1):
Here's the RC containing the work-around:
https://github.com/hackademix/noscript/releases/tag/10.2.2rc3
Replying to [comment:11 eloquence]:
> What will the default behavior in Tor be if, say, the user is attempting
to upload to SecureDrop with JavaScript disabled?
Nothing visible should happen.
> Would they get a scary confirmation dialog?
Not in your case, unless I'm missing something. Please let me know if I'm
wrong.
NoScript should show a (not so scary) confirmation dialog '''only for
cross-site requests''' with the destination '''enabled''' to run scripts
(since it replaces a more specific anti-'''cross-site-scripting'''
protection).
> (I realize this is now a NoScript issue again, feel free to point me to
a corresponding issue if that's a better place to discuss. :)
Here's the best place until Mozilla fixes
https://bugzilla.mozilla.org/show_bug.cgi?id=1532530 (which I hope they
will: today they assigned the bug to the proper developer).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list