Tor Browser freezes when loading https://www.facebook.com/tr/ on a website
Tor Browser in its default mode (i.e. with JavaScript allowed) freezes when loading http://zeit.de. This happens every time when requesting https://www.facebook.com/tr/.
My console output stops always with
[05-23 16:59:52] Torbutton INFO: tor SOCKS: https://www.facebook.com/tr/ via
zeit.de:a137cc9014c3589a23fe6c5d354a4d7dAfter a bit of debugging it turns out that vanilla Firefox 52 versions are affected as well but only if NoScript is installed. This happens with NoScript 5.0.4 at least.
Activity
Trac:
Description: Tor Browser in its default mode (i.e. with JavaScript allowed) freezes when loading zeit.de. This happens every time when loading https://www.facebook.com/tr/.My console output stops always with
[05-23 16:59:52] Torbutton INFO: tor SOCKS: https://www.facebook.com/tr/ via zeit.de:a137cc9014c3589a23fe6c5d354a4d7dAfter a bit of debugging it turns out that vanilla Firefox 52 versions are affected as well but only if NoScript is installed. This happens with NoScript 5.0.4 at least.
to
Tor Browser in its default mode (i.e. with JavaScript allowed) freezes when loading
http://zeit.de. This happens every time when loading https://www.facebook.com/tr/.My console output stops always with
[05-23 16:59:52] Torbutton INFO: tor SOCKS: https://www.facebook.com/tr/ via zeit.de:a137cc9014c3589a23fe6c5d354a4d7dAfter a bit of debugging it turns out that vanilla Firefox 52 versions are affected as well but only if NoScript is installed. This happens with NoScript 5.0.4 at least.
-
Trac:
Description: Tor Browser in its default mode (i.e. with JavaScript allowed) freezes when loadinghttp://zeit.de. This happens every time when loading https://www.facebook.com/tr/.My console output stops always with
[05-23 16:59:52] Torbutton INFO: tor SOCKS: https://www.facebook.com/tr/ via zeit.de:a137cc9014c3589a23fe6c5d354a4d7dAfter a bit of debugging it turns out that vanilla Firefox 52 versions are affected as well but only if NoScript is installed. This happens with NoScript 5.0.4 at least.
to
Tor Browser in its default mode (i.e. with JavaScript allowed) freezes when loading
http://zeit.de. This happens every time when requesting https://www.facebook.com/tr/.My console output stops always with
[05-23 16:59:52] Torbutton INFO: tor SOCKS: https://www.facebook.com/tr/ via zeit.de:a137cc9014c3589a23fe6c5d354a4d7dAfter a bit of debugging it turns out that vanilla Firefox 52 versions are affected as well but only if NoScript is installed. This happens with NoScript 5.0.4 at least.
Trac:
Username: tokotoko
Cc: ma1 to ma1, fdsfgs@krutt.org-
Happens with https://www.theatlantic.com/business/archive/2016/07/racist-history-portland/492035/?utm_source=twb as well. The only workaround I have so far is disabling NoScript. :( #22438 (moved) is a duplicate.
Trac:
Summary: Tor Browser freezes when loading http://zeit.de to Tor Browser freezes when loading https://www.facebook.com/tr/ on a website
Severity: Normal to Major
Cc: ma1, fdsfgs@krutt.org to ma1, fdsfgs@krutt.org, isis
Priority: Medium to High Replying to gk:
Happens with https://www.theatlantic.com/business/archive/2016/07/racist-history-portland/492035/?utm_source=twb as well. The only workaround I have so far is disabling NoScript. :( #22438 (moved) is a duplicate.
To clarify, one workaround is to disable all JavaScript using NoScript, or to use Tor's high security mode.
-
Thanks. Let me see. FWIW: Enabling debug output gives me
[NoScript C] Document OK: @https://www.facebook.com/tr/ --- PGFM: null [NoScript C] Document OK: @https://www.facebook.com/tr/ --- PGFM: null [NoScript C] Sync on pageshow javascript:false"Sync on pageshow javascript:false" is only visible for
https://www.facebook.com/tr/. Might be related to this bug? -
Replying to ma1:
I'm checking it right now. In the meanwhile, would deploying an ABE rule like this one:
{{{ Site https://www.facebook.com/tr/ Allow from SELF Deny }}} work?
ABE complains in that case. It seems it does not know "Allow". But replacing that with "Accept" makes it happy. Let me know if that's not the right thing. However, after restarting and with that rule in place I still get the hangs.
Replying to gk:
Replying But replacing that with "Accept" makes it happy. However, after restarting and with that rule in place I still get the hangs.
Yes, it's "Accept", my bad.
It doesn't seem **caused **by the load (it's just a 1 pixel GIF), but maybe just correlated and, I suspect, caused by a script checking for something that's not there in a loop.
Going on with the investigation and looking for work-arounds...
-
Marked #22435 (moved) as a duplicate.
Trac:
Cc: ma1, fdsfgs@krutt.org, isis to ma1, fdsfgs@krutt.org, isis, jiminycricket -
It was https://www.facebook.com/tr/, after all.
It gets loaded several times with GET requests, but at a certain point a POST request containing two big JSON parameter is sent, and this apparently hangs the XSS filter (which is triggered BEFORE ABE, hence the futility of my previous proposed work around).
While I try to understand what actually happens in the guts of the filter, a new work around which WFM is adding the following line to NoScript Options>Advanced>XSS exceptions box (about:config -> noscript.filterXExceptions):
^https://www\.facebook\.com/tr/ -
Replying to ma1:
It was https://www.facebook.com/tr/, after all.
It gets loaded several times with GET requests, but at a certain point a POST request containing two big JSON parameter is sent, and this apparently hangs the XSS filter (which is triggered BEFORE ABE, hence the futility of my previous proposed work around).
Woah. Thanks for looking into it. The workaround does the job for me as well.
-
Replying to ma1:
While I try to understand what actually happens in the guts of the filter, a new work around which WFM is adding the following line to NoScript Options>Advanced>XSS exceptions box (about:config -> noscript.filterXExceptions):
{{{ ^https://www.facebook.com/tr/ }}}
ma1: Do you have an ETA for a new NoScript version with a fix for this problem? I am a bit reluctant to add that exception to the list for Tor Browser. But we are currently preparing Tor Browser 7.0, so having this issue solved some time next week or early in the week thereafter would rock.
Trac:
Status: new to needs_information -
After thinking a while about how to mitigate that problem in Tor Browser while we are waiting for a new NoScript release it seems to me we don't want to just whitelist that particular tracker. The risk is that a week after release a different one hits the same bug and we start playing whack-a-mole. I think we should disable the XSS protection for now until it can't be used as a DoS tool anymore.
-
bug_22326(https://gitweb.torproject.org/user/gk/tor-browser-bundle.git/commit/?h=bug_22362&id=e8178d1373d6ce2599ef58eca4d52d1b6817263f) has a patch for the workaround in comment:17 up for review.Trac:
Keywords: TorBrowserTeam201706 deleted, TorBrowserTeam201706R, GeorgKoppen201706 added
Status: needs_information to needs_review -
Is this the same issue persisting in Tor Browser 7.0? The Guardian also crashes on this page:
Trac:
Username: jiminycricket