Opened 4 years ago

Closed 3 years ago

#16425 closed defect (duplicate)

Searching via Disconnect should show no XSS false positive warnings

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://blog.torproject.org/blog/tor-browser-452-released#comment-95374 describes a way to trigger NoScript's XSS warning reliably:

Whenever I search a term using the right click->"Search for *", it goes to the disconnect search page and NoScript gives error "NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome]. Technical details have been logged ..."

This does not happen with other search engines, like the one Google provides.

Child Tickets

Change History (2)

comment:1 Changed 4 years ago by reezer

A fix for this is to add a pattern like ^https://search.disconnect.me/[^"<>]+$ to NoScript (Advanced -> XSS). Maybe this could be in there by default?

The reason the others are not affected is that they are already in there.

comment:2 Changed 3 years ago by bugzilla

Resolution: duplicate
Severity: Normal
Status: newclosed

Closed as a duplicate of #13464.

Note: See TracTickets for help on using tickets.