Opened 7 months ago

Last modified 5 months ago

#26847 new defect

Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

Reported by: arma Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-8.0-issues, tbb-regression, noscript
Cc: ma1, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arma)

When I go to certain sites in the Tor Browser 8.0, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says


NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was
http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

Child Tickets

Change History (6)

comment:1 Changed 7 months ago by ProTipGuyFWIWWeLoveARMA

I agree, as is, it's pretty inconvenient. Also I had one of those existential thoughts "Will these settings persists?" after I kept getting that warning and had to chose to the "Always block from ..." option, not good!

comment:2 Changed 7 months ago by gk

Cc: ma1 added
Keywords: ff60-esr added

comment:3 Changed 5 months ago by arthuredelstein

Cc: arthuredelstein added

comment:4 Changed 5 months ago by gk

Keywords: tbb-8.0-issues tbb-regression noscript added; ff60-esr removed

comment:5 Changed 5 months ago by arma

Description: modified (diff)
Summary: Tor Browser 8a, noscript pops up a full-browser-size window to warn me about x-site scriptingTor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

This just happened to me on Tor Browser 8.0, so I am updating the title / description to indicate that it's not just an alpha thing.

comment:6 Changed 5 months ago by gk

Giorgio: Is there a way to make this XSS warning less obtrusive? We have users that are scare as hell by those popups thinking they got a virus or something. I guess a lot of them are very likely false positives, too (like the one on the nytimes website)?

Note: See TracTickets for help on using tickets.