Opened 3 years ago

Closed 3 years ago

#20752 closed defect (fixed)

Search box with DuckDuckGo (and other search engines) is broken on security level High and Medium-High

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability, TorBrowserTeam201611
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It seems since the NoScript update to 2.9.5 searching with DuckDuckGo and other engines (like StartPage) is broken if the security slider is set to "Medium-High" or "High". NoScripts XSS filter starts interfering:

[NoScript XSS] Sanitized suspicious upload to [https://duckduckgo.com/html] from [[System Principal]]: transformed into a download-only GET request.

Child Tickets

Change History (7)

comment:1 Changed 3 years ago by cypherpunks

You could set an XSS Exception in Noscript like

^https://www\.startpage\.com/do/search
^https?://[^/]+\.startpage\.com/do/search
^https://startpage\.com/do/dsearch
^https://startpage\.com/rto/search
^https://duckduckgo\.com/html
^http://3g2upl4pq6kufc4m\.onion/html

www.startpage.com -> is necessary for the search on the actual website, somehow
that's broken too.

update:
^https?://[^/]+\.startpage\.com/do/search for second,... page search results

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:2 Changed 3 years ago by ma1

We're investigating this here:

https://forums.informaction.com/viewtopic.php?f=7&t=22296

BTW, does the Tor Browser have its own customized mandatory whitelist? If so, you should add [System+Principal] (yes, with the "+" instead of " "), which is in NoScript's default and should fix half of the cases.

The other half affects Gecko < 52 and we're looking for a work-around.

comment:3 in reply to:  2 Changed 3 years ago by gk

Replying to ma1:

We're investigating this here:

https://forums.informaction.com/viewtopic.php?f=7&t=22296

BTW, does the Tor Browser have its own customized mandatory whitelist? If so, you should add [System+Principal] (yes, with the "+" instead of " "), which is in NoScript's default and should fix half of the cases.

Actually, we don't have a customized whitelist. We are just using NoScript as is in that regard. What do you mean with "which is in NoScript's default"? If I open a clean new Firefox profile and install NoScript I get exactly the same XSS protection exceptions as we ship in Tor Browser and [System+Principal] is not among them.

comment:4 Changed 3 years ago by gk

Keywords: tbb-usability TorBrowserTeam201611 added

comment:5 Changed 3 years ago by gk

FWIW: using the location bar or the search bar + having a new tab open works even with the slider level set to Medium-High or High. (Just as another workaround)

comment:6 Changed 3 years ago by cypherpunks

I added as work around the XSS Exceptions but I still get XSS Errors when try to load the second/third/... page of search results on startpage.com.

[NoScript XSS] Sanitized suspicious upload to [https://s1-us2.startpage.com/do/search] from [https://www.startpage.com/do/search]: transformed into a download-only GET request.

To solve this I added another XSS Exception to allow https://s5-us2.startpage.com/do/search, https://s1-us2.startpage.com/do/search etc., ie second, third aso search-result-pages to be opened.

^https://www\.startpage\.com/do/search
^https?://[^/]+\.startpage\.com/do/search
Last edited 3 years ago by cypherpunks (previous) (diff)

comment:7 Changed 3 years ago by gk

Resolution: fixed
Status: newclosed

Fixed with NoScript 2.9.5.2 it seems.

Note: See TracTickets for help on using tickets.