[tor-bugs] #31680 [Applications/Tor Browser]: XSS warning pops up in case of timeout

Tue Sep 10 06:08:43 UTC 2019

#31680: XSS warning pops up in case of timeout
------------------------------------------+----------------------
     Reporter:  gk                        |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 I see increasingly XSS warning popups showing up because of timeouts which
 is highly confusing. Clearly, timeouts are not really an indication of an
 XSS issue. An example for how this looks like is:
 {{{
 NoScript detected a potential Cross-Site Scripting attack

 from https://www.zeit.de to https://dx6ctphzljkf1.cloudfront.net.

 Suspicious data:

 Error: Exceeded 20000ms timeout,(URL)
 https://dx6ctphzljkf1.cloudfront.net/iqdcdnkj/0a3b52795fef0905/index.html?clicktag=http://adclick.g.doubleclick.net/pcs/click%3Fxai
 %3DAKAOjsuHXc6Zwesb8f8FaSD7QQTqsyHbRHJNWVu3QNltNDaJ94NGlNH6WfODjTA6sloDprbdd1rxSjqWKdGOSolznaWuiKCcayJ4DmNlCF5OkavZ_eGS0Xkfao5UQJ-
 JwqhV_gAR_7tfsnUfu60yvzJ0iU4Z1D6Zkb6sjCl0_HQA22VBLWn-QSPhAgfMV614r-
 HBeMGma_lSkoiCPSy0kyKnCRL5tUnv1UmFqhpDBN4tMevUa2rZkJz6uo8knPiePTPGjelmuicueasP3g%26sai
 %3DAMfl-
 YR4Mk3FY_qymLNh3MZw4TEqprFJmYFBo9_kQIEByETK8t21mR91HHtY12pZU52d0EITutWjovVnNx6CvX-
 biT_ug2TurDhIiyL2djhlow%26sig%3DCg0ArKJSzIDezji-X-DkEAE%26urlfix%3D1%26adurl%3Dhttp://marktplatz.zeit.de/urlaubsziele/themen/lesenswertes/&
 }}}
 or
 {{{
 NoScript detected a potential Cross-Site Scripting attack

 from https://www.zeit.de to https://s3.eu-central-1.amazonaws.com.

 Suspicious data:

 Error: Exceeded 20000ms timeout,(URL) https://s3.eu-
 central-1.amazonaws.com/iqdcdnea/10e4b7649324fb09/index.html?clicktag=https://adclick.g.doubleclick.net/pcs/click%3Fxai
 %3DAKAOjssAkvqdVAj8OVky5YyBIxfFhdSKOwG3PBSs1sGLVOkrTAbbR2gQhodz_fXydReP-
 sWxzXELTfAuQkQKvcolwGDPsya5J4nL-
 viX8VzJakyNC5yyVB4zTY8PRSHU_uCuiDOkZfyU6r6ldJAmjPb3o9AJI1JjbB2B6BwWdGEXimu89rpjgP9_7QWQve3pDYoPSYGZtAGvE2nIak17XVJyFo6fpatdx-
 JftpL6BZ3We12XcmWv8xi1WzanqCJH7xQaQImIkf2k5dsgSg%26sai%3DAMfl-
 YQQpqd7WwCqfy7nh3BpC3v5iOX8vRNIaR7zenwjOphvOa6S79W9pR_h16Vw99tViBvXlyo0AyCzyKJf9xzvxc43C-
 iGZHR6IQYihbL1eQ%26sig%3DCg0ArKJSzKFyrN2JPsBaEAE%26urlfix%3D1%26adurl%3Dhttps://jobs.zeit.de/campus/berufstest%3Fwt_zmc%3Ddis.int.zonpmr.hausbanner
 .boa-
 default.bot.wp.quan.x%26utm_medium%3Ddis%26utm_source%3Dhausbanner_zonpmr_int%26utm_campaign
 %3Dboa-
 default%26utm_content%3Dbot_wp_quan_x&iqdurl=https://www.zeit.de&iqdcid=138255462209&
 }}}
 That does not involve doing anything special just reading news with an
 9.0a6-ish Tor Browser.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31680>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online