[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 11 Mar 2019 17:29:30 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 11 Mar 2019 13:29:42 -0400
In-reply-to: <042.f8762a36ee3864603ad8e37e2482149a@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.f8762a36ee3864603ad8e37e2482149a@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#29733: Disable NoSript XSS protection for now due to bug 1532530
---------------------------------------------+-----------------------------
 Reporter:  gk                               |          Owner:  tbb-team
     Type:  defect                           |         Status:
                                             |  needs_review
 Priority:  Very High                        |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  noscript, TorBrowserTeam201903R  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
---------------------------------------------+-----------------------------

Comment (by ma1):

 For reference, the upstream Mozilla bug is
 https://bugzilla.mozilla.org/show_bug.cgi?id=1532530

 This seems exceedingly drastic as a work-around.
 What if I provide an option to just disable XSS injection checks on POST
 parameters (which would prevent the requestBody listener from being
 registered), and possibly another option to ask user confirmation for POST
 requests from JavaScript-disabled sites to TRUSTED ones, in order to
 mitigate the loss of protection?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #29389 [Internal Services/Tor Sysadmin Team]: Set up VM for Prometheus
Next by Author: [tor-bugs] #29939 [Core Tor/Tor]: test_routerkeys: Coverity says, always check mkdir return values.
Previous by thread: Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Next by thread: Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Index(es):
- Author
- Thread