[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 12 Apr 2019 19:31:19 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 12 Apr 2019 15:31:36 -0400
In-reply-to: <042.d18f3fa419830ee95fe9cf9ed6d0b071@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.d18f3fa419830ee95fe9cf9ed6d0b071@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#30115: NoScript's XSS popup breaks circuit display in some cases
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-torbutton, tbb-circuit-display,  |  Actual Points:
  TorBrowserTeam201904                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by acat):

 patch: https://github.com/acatarineu/torbutton/commit/30115

 The problem seems to be common to #27749 and #25145, these should also be
 fixed with the patch. Currently we keep a mapping of
 gBrowser.selectedBrowser -> socks credentials for the circuit display,
 populated when there is a request. This fails for cases when the browser
 "moves" to a different location but there is no request, which I think is
 the case here and in the other bugs above. In this case, upon successful
 login there are several HTTP redirects, one of which triggers the XSS
 popup and is blocked.

 The suggested fix keeps a mapping of domain -> socks credentials instead.
 I have seen #16936, which I think aims for a different approach, but not
 sure why.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30115#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #29374 [Metrics/Onionperf]: Analysis files sometimes present negative numbers in the payload_progress field
Next by Author: Re: [tor-bugs] #30336 [Applications/Tor Browser]: Tor Browser for Android Alpha
Previous by thread: Re: [tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases
Next by thread: Re: [tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases
Index(es):
- Author
- Thread