[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #29733 [Applications/Tor Browser]: Disable NoSript XSS protection for now due to bug 1532530
#29733: Disable NoSript XSS protection for now due to bug 1532530
---------------------------------------------+-----------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status:
| needs_review
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: noscript, TorBrowserTeam201903R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+-----------------------------
Comment (by gk):
Replying to [comment:2 ma1]:
> For reference, the upstream Mozilla bug is
https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
>
> This seems exceedingly drastic as a work-around.
Well, OnionShare and SecureDrop are important tools, especially for people
in dangerous situations. The risk here is that they mess up by not
understanding the workarounds done by others or using a different unsafe
tool altogether. We should avoid those failure cases.
> What if I provide an option to just disable XSS injection checks on POST
parameters (which would prevent the requestBody listener from being
registered), and possibly another option to ask user confirmation for POST
requests from JavaScript-disabled sites to TRUSTED ones, in order to
mitigate the loss of protection?
I think that would work for me (even though I admit that I was looking
forward to "solve" the XSS related freezes with the patch, too :) (see:
#29647 for details)) as long as it works for the SecureDrop/OnionShare
users.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs