[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30115 [Applications/Tor Browser]: NoScript's XSS popup breaks circuit display in some cases
#30115: NoScript's XSS popup breaks circuit display in some cases
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-torbutton, tbb-circuit-display, | Actual Points:
TorBrowserTeam201904 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by acat):
patch: https://github.com/acatarineu/torbutton/commit/30115
The problem seems to be common to #27749 and #25145, these should also be
fixed with the patch. Currently we keep a mapping of
gBrowser.selectedBrowser -> socks credentials for the circuit display,
populated when there is a request. This fails for cases when the browser
"moves" to a different location but there is no request, which I think is
the case here and in the other bugs above. In this case, upon successful
login there are several HTTP redirects, one of which triggers the XSS
popup and is blocked.
The suggested fix keeps a mapping of domain -> socks credentials instead.
I have seen #16936, which I think aims for a different approach, but not
sure why.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30115#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs