Search box with DuckDuckGo (and other search engines) is broken on security level High and Medium-High

It seems since the NoScript update to 2.9.5 searching with DuckDuckGo and other engines (like StartPage) is broken if the security slider is set to "Medium-High" or "High". NoScripts XSS filter starts interfering:

[NoScript XSS] Sanitized suspicious upload to [https://duckduckgo.com/html] from [[System Principal]]: transformed into a download-only GET request.

added TorBrowserTeam201611 component::applications/tor browser owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-usability type::defect labels

You could set an XSS Exception in Noscript like

^https://www\.startpage\.com/do/search
^https?://[^/]+\.startpage\.com/do/search
^https://startpage\.com/do/dsearch
^https://startpage\.com/rto/search
^https://duckduckgo\.com/html
^http://3g2upl4pq6kufc4m\.onion/html

www.startpage.com -> is necessary for the search on the actual website, somehow that's broken too.

update: ^https?://[^/]+\.startpage\.com/do/search for second,... page search results

We're investigating this here:

https://forums.informaction.com/viewtopic.php?f=7&t=22296

BTW, does the Tor Browser have its own customized mandatory whitelist? If so, you should add [System+Principal] (yes, with the "+" instead of " "), which is in NoScript's default and should fix half of the cases.

The other half affects Gecko < 52 and we're looking for a work-around.

Replying to ma1:

We're investigating this here:

https://forums.informaction.com/viewtopic.php?f=7&t=22296

BTW, does the Tor Browser have its own customized mandatory whitelist? If so, you should add [System+Principal] (yes, with the "+" instead of " "), which is in NoScript's default and should fix half of the cases.

Actually, we don't have a customized whitelist. We are just using NoScript as is in that regard. What do you mean with "which is in NoScript's default"? If I open a clean new Firefox profile and install NoScript I get exactly the same XSS protection exceptions as we ship in Tor Browser and [System+Principal] is not among them.

Trac:
Keywords: N/A deleted, tbb-usability, TorBrowserTeam201611 added

FWIW: using the location bar or the search bar + having a new tab open works even with the slider level set to Medium-High or High. (Just as another workaround)

I added as work around the XSS Exceptions but I still get XSS Errors when try to load the second/third/... page of search results on startpage.com.

[NoScript XSS] Sanitized suspicious upload to [https://s1-us2.startpage.com/do/search] from [https://www.startpage.com/do/search]: transformed into a download-only GET request.

To solve this I added another XSS Exception to allow https://s5-us2.startpage.com/do/search, https://s1-us2.startpage.com/do/search etc., ie second, third aso search-result-pages to be opened.

^https://www\.startpage\.com/do/search
^https?://[^/]+\.startpage\.com/do/search

Fixed with NoScript 2.9.5.2 it seems.

Trac:
Resolution: N/A to fixed
Status: new to closed

closed

moved to tpo/applications/tor-browser#20752 (closed)