Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

When I go to certain sites in the Tor Browser 8.0, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says

NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

added TorBrowserTeam201908R component::applications/tor browser noscript owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-8.0-issues tbb-regression tbb-usability type::defect labels

I agree, as is, it's pretty inconvenient. Also I had one of those existential thoughts "Will these settings persists?" after I kept getting that warning and had to chose to the "Always block from ..." option, not good!

Trac:
Username: ProTipGuyFWIWWeLoveARMA

Trac:
Keywords: N/A deleted, ff60-esr added
Cc: N/A to ma1

Trac:
Cc: ma1 to ma1, arthuredelstein

Trac:
Keywords: ff60-esr deleted, noscript, tbb-regression, tbb-8.0-issues added

This just happened to me on Tor Browser 8.0, so I am updating the title / description to indicate that it's not just an alpha thing.

Trac:
Summary: Tor Browser 8a, noscript pops up a full-browser-size window to warn me about x-site scripting to Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting
Description: When I go to certain sites in the Tor Browser 8 alpha, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says

NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

to

When I go to certain sites in the Tor Browser 8.0, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says

NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

Giorgio: Is there a way to make this XSS warning less obtrusive? We have users that are scare as hell by those popups thinking they got a virus or something. I guess a lot of them are very likely false positives, too (like the one on the nytimes website)?

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place. It is making many sites unusable for me.

If we can't eliminate these false positives, I think we should disable this XSS protection, certainly by default. With as noisy as it currently is, I don't think it should be on unless the security level is at High.

Trac:
Keywords: N/A deleted, tbb-usability added

I wholeheartedly agree with what Mike said, in addition the XSS protection code seems to cause my CPU to peak at 100% (poor Intel Atom), ma1 should really consider converting it to WebAssembly and hopefully WebAssembly will be enabled by default in the upcoming Tor Browser 9 alpha.

Replying to mikeperry:

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place.

Could you please provide me with some URLs to test for false positives? I'd very much want to remove them, but unfortuntaley, "regular" NoScript users (not on the Tor Browser at Medium security settings) are unlikely to see and report those because doubleclick is blocked by default (pre-XSS filter) and/or adblocked. Is there any reason for the Tor Browser not blocking the major tracking / advertising offenders across all its user base?

Beside tackling false positives, a strategy I'm willing to experiment with is replacing XSS warning popups with something less obtrusive and workflow-interrupting: what about an in-content placeholder, very much like the click-to-play one?

Regarding the performance issues, I've already made the filter asynchronous in the WebExtensions process, which shouldn't block the UI and content processes but unfortunately doesn't help much with mono-core processors (poor Intel Atom). I'm not sure WebAssembly would be useful either, since most of the CPU time is spent on regular expressions matching, but having real-world cases reported would help optimizing possibly inefficient ones.

Thank you all for the cooperation.

Replying to ma1:

Replying to mikeperry:

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place.

Could you please provide me with some URLs to test for false positives?

NoScript detected a potential Cross-Site Scripting attack

from https://5756926.fls.doubleclick.net to https://adservice.google.com.

Suspicious data:
https://adservice.google.com/ddm/fls/i/src=5756926;type=emark0;cat=remar0;ord=1;num=3897397787192;gtm=2wg7o0;auiddc=227660113.1564751486;u1=https://www.arla.se/recept/kladdkaka/;_dc_1=1;~oref=https://www.interesting.website.com

(I changed the website name but I assume that should not be a problem)

https://github.com/hackademix/noscript/releases/tag/11.0.3rc2

v 11.0.3rc2
=============================================================
x [Tor] Work-around for prompts being huge when
  resistFingerprinting is enabled
x [XSS] Fixed false positives due to overzealous HTML
  attribute checking
x [XSS] Enabled InjectionChecker logging when debugging mode
  is on

Trac:
Keywords: N/A deleted, TorBrowserTeam201908R added

Looks better, thanks! Let's go with that one and open new bugs in case we need it.

Trac:
Status: new to closed
Resolution: N/A to fixed

Previously, you closed tickets only after bumping NoScript. However, this particular bump brings back high CPU consumption on different websites :(

Replying to cypherpunks:

Previously, you closed tickets only after bumping NoScript. However, this particular bump brings back high CPU consumption on different websites :(

Thanks! That's an excellent idea. I bumped the NoScript version in commit dd665cd95f680d7a8232220abad3cd1c623fbd66 on maint-8.5 and commit 9c03e532c542eb9f01399d39fb39d9fede00e705 on master.

Please file a new ticket for the high CPU consumption with steps to reproduce, thanks!

closed

mentioned in issue #29733 (moved)

moved to tpo/applications/tor-browser#26847 (closed)