Opened 13 months ago

Last modified 2 days ago

#26847 new defect

Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

Reported by: arma Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-8.0-issues, tbb-regression, noscript, tbb-usability, TorBrowserTeam201908R
Cc: ma1, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arma)

When I go to certain sites in the Tor Browser 8.0, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says


NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was
http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

Child Tickets

Change History (12)

comment:1 Changed 13 months ago by ProTipGuyFWIWWeLoveARMA

I agree, as is, it's pretty inconvenient. Also I had one of those existential thoughts "Will these settings persists?" after I kept getting that warning and had to chose to the "Always block from ..." option, not good!

comment:2 Changed 13 months ago by gk

Cc: ma1 added
Keywords: ff60-esr added

comment:3 Changed 12 months ago by arthuredelstein

Cc: arthuredelstein added

comment:4 Changed 12 months ago by gk

Keywords: tbb-8.0-issues tbb-regression noscript added; ff60-esr removed

comment:5 Changed 12 months ago by arma

Description: modified (diff)
Summary: Tor Browser 8a, noscript pops up a full-browser-size window to warn me about x-site scriptingTor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

This just happened to me on Tor Browser 8.0, so I am updating the title / description to indicate that it's not just an alpha thing.

comment:6 Changed 11 months ago by gk

Giorgio: Is there a way to make this XSS warning less obtrusive? We have users that are scare as hell by those popups thinking they got a virus or something. I guess a lot of them are very likely false positives, too (like the one on the nytimes website)?

comment:7 Changed 3 weeks ago by mikeperry

Keywords: tbb-usability added

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place. It is making many sites unusable for me.

If we can't eliminate these false positives, I think we should disable this XSS protection, certainly by default. With as noisy as it currently is, I don't think it should be on unless the security level is at High.

comment:8 Changed 3 weeks ago by cypherpunks

I wholeheartedly agree with what Mike said, in addition the XSS protection code seems to cause my CPU to peak at 100% (poor Intel Atom), ma1 should really consider converting it to WebAssembly and hopefully WebAssembly will be enabled by default in the upcoming Tor Browser 9 alpha.

comment:9 in reply to:  7 ; Changed 3 weeks ago by ma1

Replying to mikeperry:

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place.

Could you please provide me with some URLs to test for false positives?
I'd very much want to remove them, but unfortuntaley, "regular" NoScript users (not on the Tor Browser at Medium security settings) are unlikely to see and report those because doubleclick is blocked by default (pre-XSS filter) and/or adblocked. Is there any reason for the Tor Browser not blocking the major tracking / advertising offenders across all its user base?

Beside tackling false positives, a strategy I'm willing to experiment with is replacing XSS warning popups with something less obtrusive and workflow-interrupting: what about an in-content placeholder, very much like the click-to-play one?

Regarding the performance issues, I've already made the filter asynchronous in the WebExtensions process, which shouldn't block the UI and content processes but unfortunately doesn't help much with mono-core processors (poor Intel Atom). I'm not sure WebAssembly would be useful either, since most of the CPU time is spent on regular expressions matching, but having real-world cases reported would help optimizing possibly inefficient ones.

Thank you all for the cooperation.

comment:10 in reply to:  9 Changed 3 weeks ago by gk

Replying to ma1:

Replying to mikeperry:

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place.

Could you please provide me with some URLs to test for false positives?

NoScript detected a potential Cross-Site Scripting attack

from https://5756926.fls.doubleclick.net to https://adservice.google.com.

Suspicious data:
https://adservice.google.com/ddm/fls/i/src=5756926;type=emark0;cat=remar0;ord=1;num=3897397787192;gtm=2wg7o0;auiddc=227660113.1564751486;u1=https://www.arla.se/recept/kladdkaka/;_dc_1=1;~oref=https://www.interesting.website.com

(I changed the website name but I assume that should not be a problem)

comment:11 Changed 3 weeks ago by ma1

https://github.com/hackademix/noscript/releases/tag/11.0.3rc2

v 11.0.3rc2
=============================================================
x [Tor] Work-around for prompts being huge when
  resistFingerprinting is enabled
x [XSS] Fixed false positives due to overzealous HTML
  attribute checking
x [XSS] Enabled InjectionChecker logging when debugging mode
  is on

comment:12 Changed 2 days ago by gk

Keywords: TorBrowserTeam201908R added
Note: See TracTickets for help on using tickets.