[tor-bugs] #31680 [Applications/Tor Browser]: XSS warning pops up in case of timeout
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 10 06:08:43 UTC 2019
#31680: XSS warning pops up in case of timeout
------------------------------------------+----------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
I see increasingly XSS warning popups showing up because of timeouts which
is highly confusing. Clearly, timeouts are not really an indication of an
XSS issue. An example for how this looks like is:
{{{
NoScript detected a potential Cross-Site Scripting attack
from https://www.zeit.de to https://dx6ctphzljkf1.cloudfront.net.
Suspicious data:
Error: Exceeded 20000ms timeout,(URL)
https://dx6ctphzljkf1.cloudfront.net/iqdcdnkj/0a3b52795fef0905/index.html?clicktag=http://adclick.g.doubleclick.net/pcs/click%3Fxai
%3DAKAOjsuHXc6Zwesb8f8FaSD7QQTqsyHbRHJNWVu3QNltNDaJ94NGlNH6WfODjTA6sloDprbdd1rxSjqWKdGOSolznaWuiKCcayJ4DmNlCF5OkavZ_eGS0Xkfao5UQJ-
JwqhV_gAR_7tfsnUfu60yvzJ0iU4Z1D6Zkb6sjCl0_HQA22VBLWn-QSPhAgfMV614r-
HBeMGma_lSkoiCPSy0kyKnCRL5tUnv1UmFqhpDBN4tMevUa2rZkJz6uo8knPiePTPGjelmuicueasP3g%26sai
%3DAMfl-
YR4Mk3FY_qymLNh3MZw4TEqprFJmYFBo9_kQIEByETK8t21mR91HHtY12pZU52d0EITutWjovVnNx6CvX-
biT_ug2TurDhIiyL2djhlow%26sig%3DCg0ArKJSzIDezji-X-DkEAE%26urlfix%3D1%26adurl%3Dhttp://marktplatz.zeit.de/urlaubsziele/themen/lesenswertes/&
}}}
or
{{{
NoScript detected a potential Cross-Site Scripting attack
from https://www.zeit.de to https://s3.eu-central-1.amazonaws.com.
Suspicious data:
Error: Exceeded 20000ms timeout,(URL) https://s3.eu-
central-1.amazonaws.com/iqdcdnea/10e4b7649324fb09/index.html?clicktag=https://adclick.g.doubleclick.net/pcs/click%3Fxai
%3DAKAOjssAkvqdVAj8OVky5YyBIxfFhdSKOwG3PBSs1sGLVOkrTAbbR2gQhodz_fXydReP-
sWxzXELTfAuQkQKvcolwGDPsya5J4nL-
viX8VzJakyNC5yyVB4zTY8PRSHU_uCuiDOkZfyU6r6ldJAmjPb3o9AJI1JjbB2B6BwWdGEXimu89rpjgP9_7QWQve3pDYoPSYGZtAGvE2nIak17XVJyFo6fpatdx-
JftpL6BZ3We12XcmWv8xi1WzanqCJH7xQaQImIkf2k5dsgSg%26sai%3DAMfl-
YQQpqd7WwCqfy7nh3BpC3v5iOX8vRNIaR7zenwjOphvOa6S79W9pR_h16Vw99tViBvXlyo0AyCzyKJf9xzvxc43C-
iGZHR6IQYihbL1eQ%26sig%3DCg0ArKJSzKFyrN2JPsBaEAE%26urlfix%3D1%26adurl%3Dhttps://jobs.zeit.de/campus/berufstest%3Fwt_zmc%3Ddis.int.zonpmr.hausbanner
.boa-
default.bot.wp.quan.x%26utm_medium%3Ddis%26utm_source%3Dhausbanner_zonpmr_int%26utm_campaign
%3Dboa-
default%26utm_content%3Dbot_wp_quan_x&iqdurl=https://www.zeit.de&iqdcid=138255462209&
}}}
That does not involve doing anything special just reading news with an
9.0a6-ish Tor Browser.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31680>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list