[tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Mar 15 00:43:03 UTC 2019
#29733: Disable NoSript XSS protection for now due to bug 1532530
--------------------------------------------+------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status:
| needs_information
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: noscript, TorBrowserTeam201903 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------------+------------------------------
Comment (by eloquence):
Here's the procedure I followed:
1) Per last comment on
https://trac.torproject.org/projects/tor/ticket/29733 , downloaded 8.0.7b3
from https://people.torproject.org/~boklm/builds/8.0.7-build3/tor-browser-
linux64-8.0.7_en-US.tar.xz and ran it
2) Removed shipped version of NoScript, activated debug mode, downloaded
Source Code ZIP from
https://github.com/hackademix/noscript/releases/tag/10.2.2rc3 , and loaded
its `manifest.json` in debug mode
3) Changed NoScript settings to these ones: "Sanitize cross-site
suspicious requests": CHECKED, "Scan uploads for potential cross-site
attacks": NOT CHECKED, "Ask confirmation for cross-site POST requests
which could not be scanned": CHECKED
4) Uploaded a 271M file through source interface of my local SecureDrop
hardware instance.
So far so good -- two test uploads succeeded, will do some more testing
tomorrow. I'll flag this to the OnionShare folks in case they have time to
do additional testing, as well.
Thanks for all the help getting this issue resolved. Fingers crossed; will
post another update after more tests.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list