[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 15 Mar 2019 00:43:03 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 14 Mar 2019 20:43:16 -0400
In-reply-to: <042.f8762a36ee3864603ad8e37e2482149a@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.f8762a36ee3864603ad8e37e2482149a@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#29733: Disable NoSript XSS protection for now due to bug 1532530
--------------------------------------------+------------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  defect                          |         Status:
                                            |  needs_information
 Priority:  Very High                       |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  noscript, TorBrowserTeam201903  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+------------------------------

Comment (by eloquence):

 Here's the procedure I followed:

 1) Per last comment on
 https://trac.torproject.org/projects/tor/ticket/29733 , downloaded 8.0.7b3
 from https://people.torproject.org/~boklm/builds/8.0.7-build3/tor-browser-
 linux64-8.0.7_en-US.tar.xz and ran it

 2) Removed shipped version of NoScript, activated debug mode, downloaded
 Source Code ZIP from
 https://github.com/hackademix/noscript/releases/tag/10.2.2rc3 , and loaded
 its `manifest.json` in debug mode

 3) Changed NoScript settings to these ones: "Sanitize cross-site
 suspicious requests": CHECKED, "Scan uploads for potential cross-site
 attacks": NOT CHECKED, "Ask confirmation for cross-site POST requests
 which could not be scanned": CHECKED

 4) Uploaded a 271M file through source interface of my local SecureDrop
 hardware instance.

 So far so good -- two test uploads succeeded, will do some more testing
 tomorrow. I'll flag this to the OnionShare folks in case they have time to
 do additional testing, as well.

 Thanks for all the help getting this issue resolved. Fingers crossed; will
 post another update after more tests.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #27841 [Core Tor/Tor]: Surprise race: Intro point closes circuit after NACK, at the same time as client tries to extend circuit to new intro point
Next by Author: Re: [tor-bugs] #25688 [Obfuscation/Snowflake]: proxy-go is still deadlocking occasionally
Previous by thread: Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Next by thread: Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
Index(es):
- Author
- Thread