[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530



#29733: Disable NoSript XSS protection for now due to bug 1532530
--------------------------------------------+------------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  defect                          |         Status:
                                            |  needs_information
 Priority:  Very High                       |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  noscript, TorBrowserTeam201903  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+------------------------------
Changes (by gk):

 * status:  new => needs_information


Comment:

 Replying to [comment:11 eloquence]:
 > > What if I provide an option to just disable XSS injection checks on
 POST parameters (which would prevent the requestBody listener from being
 registered), and possibly another option to ask user confirmation for POST
 requests from JavaScript-disabled sites to TRUSTED ones, in order to
 mitigate the loss of protection?
 >
 > What will the default behavior in Tor be if, say, the user is attempting
 to upload to SecureDrop with JavaScript disabled? Would they get a scary
 confirmation dialog? It would be really good to avoid scary confirmation
 messages that make the user think that there is a security issue, when
 there really is not.
 >
 > (I realize this is now a NoScript issue again, feel free to point me to
 a corresponding issue if that's a better place to discuss. :)

 Could you test whether the Tor Browser release candidate
 (https://people.torproject.org/~boklm/builds/8.0.7-build3/ has bundles) +
 the NoScript release candidate solve the issue for you?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs