[tor-talk] Self-deleting scripts in http connections

[Jonathan Marquardt]

On Fri, Dec 02, 2016 at 08:47:11PM -0800, Rythyrix wrote:
> Greetings, all.
> 
> Recently, as I was browsing over to coppersurfer dot tk , I on a whim opened
> up Firefox's Element Inspector (right click -> Inspect Element (Q)) .
> Imagine my surprise when I find a script before the title tag. (see pastebin
> HNqsDsq2 for sourcedump).
> 
> Given that I have NoScript, I needed to test it. Restarting with addons
> disabled made the script not appear by the time I managed to open the
> Element Inspector again. Given that Tor is based on Firefox, the ability for
> a site to remotely delete a script from a client browser is worrying. Is
> anyone willing to double check that this happens to more than just myself?
> 
> A concerned netizen.
> 
> (I don't want to post hyperlinks, lack of accidental clicks that way.)

There wasn't really anything remotely deleted here. You just reloaded the page 
and the script was not sent again, right?

What's far more worrying however, is that the code you put on Pastebin doesn't 
look like it belongs on this webpage. To me it looks like some code to track 
your geolocation. Either the website itself or the Tor exit node (or perhaps 
even some other attacker in the middle) tried to inject some code here, I 
guess. When you restarted Tor Browser, you probably got a new curcuit for the 
site and thus a new exit node.

Perhaps it's a good idea, to not disable the add-ons which are supposed to 
protect you from malicous JavaScript code, if you just ran into some malicous 
JavaScript code.

You don't just by a chance know, which exit node you used for that site when 
you got the code, do you?