Opened 15 months ago

Closed 8 weeks ago

Last modified 8 weeks ago

#26847 closed defect (fixed)

Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

Reported by: arma Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-8.0-issues, tbb-regression, noscript, tbb-usability, TorBrowserTeam201908R
Cc: ma1, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arma)

When I go to certain sites in the Tor Browser 8.0, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says


NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was
http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

Child Tickets

Change History (15)

comment:1 Changed 15 months ago by ProTipGuyFWIWWeLoveARMA

I agree, as is, it's pretty inconvenient. Also I had one of those existential thoughts "Will these settings persists?" after I kept getting that warning and had to chose to the "Always block from ..." option, not good!

comment:2 Changed 15 months ago by gk

Cc: ma1 added
Keywords: ff60-esr added

comment:3 Changed 14 months ago by arthuredelstein

Cc: arthuredelstein added

comment:4 Changed 14 months ago by gk

Keywords: tbb-8.0-issues tbb-regression noscript added; ff60-esr removed

comment:5 Changed 14 months ago by arma

Description: modified (diff)
Summary: Tor Browser 8a, noscript pops up a full-browser-size window to warn me about x-site scriptingTor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

This just happened to me on Tor Browser 8.0, so I am updating the title / description to indicate that it's not just an alpha thing.

comment:6 Changed 14 months ago by gk

Giorgio: Is there a way to make this XSS warning less obtrusive? We have users that are scare as hell by those popups thinking they got a virus or something. I guess a lot of them are very likely false positives, too (like the one on the nytimes website)?

comment:7 Changed 3 months ago by mikeperry

Keywords: tbb-usability added

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place. It is making many sites unusable for me.

If we can't eliminate these false positives, I think we should disable this XSS protection, certainly by default. With as noisy as it currently is, I don't think it should be on unless the security level is at High.

comment:8 Changed 3 months ago by cypherpunks

I wholeheartedly agree with what Mike said, in addition the XSS protection code seems to cause my CPU to peak at 100% (poor Intel Atom), ma1 should really consider converting it to WebAssembly and hopefully WebAssembly will be enabled by default in the upcoming Tor Browser 9 alpha.

comment:9 in reply to:  7 ; Changed 3 months ago by ma1

Replying to mikeperry:

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place.

Could you please provide me with some URLs to test for false positives?
I'd very much want to remove them, but unfortuntaley, "regular" NoScript users (not on the Tor Browser at Medium security settings) are unlikely to see and report those because doubleclick is blocked by default (pre-XSS filter) and/or adblocked. Is there any reason for the Tor Browser not blocking the major tracking / advertising offenders across all its user base?

Beside tackling false positives, a strategy I'm willing to experiment with is replacing XSS warning popups with something less obtrusive and workflow-interrupting: what about an in-content placeholder, very much like the click-to-play one?

Regarding the performance issues, I've already made the filter asynchronous in the WebExtensions process, which shouldn't block the UI and content processes but unfortunately doesn't help much with mono-core processors (poor Intel Atom). I'm not sure WebAssembly would be useful either, since most of the CPU time is spent on regular expressions matching, but having real-world cases reported would help optimizing possibly inefficient ones.

Thank you all for the cooperation.

comment:10 in reply to:  9 Changed 3 months ago by gk

Replying to ma1:

Replying to mikeperry:

Hrmm, this situation does not seem to have improved. Doubleclick is encoding URLs in like all of its ad query params (probably because of the referer field not being present for https fetches), and this is getting triggered multiple times all over the place.

Could you please provide me with some URLs to test for false positives?

NoScript detected a potential Cross-Site Scripting attack

from https://5756926.fls.doubleclick.net to https://adservice.google.com.

Suspicious data:
https://adservice.google.com/ddm/fls/i/src=5756926;type=emark0;cat=remar0;ord=1;num=3897397787192;gtm=2wg7o0;auiddc=227660113.1564751486;u1=https://www.arla.se/recept/kladdkaka/;_dc_1=1;~oref=https://www.interesting.website.com

(I changed the website name but I assume that should not be a problem)

comment:11 Changed 3 months ago by ma1

https://github.com/hackademix/noscript/releases/tag/11.0.3rc2

v 11.0.3rc2
=============================================================
x [Tor] Work-around for prompts being huge when
  resistFingerprinting is enabled
x [XSS] Fixed false positives due to overzealous HTML
  attribute checking
x [XSS] Enabled InjectionChecker logging when debugging mode
  is on

comment:12 Changed 2 months ago by gk

Keywords: TorBrowserTeam201908R added

comment:13 Changed 8 weeks ago by gk

Resolution: fixed
Status: newclosed

Looks better, thanks! Let's go with that one and open new bugs in case we need it.

comment:14 Changed 8 weeks ago by cypherpunks

Previously, you closed tickets only after bumping NoScript. However, this particular bump brings back high CPU consumption on different websites :(

comment:15 in reply to:  14 Changed 8 weeks ago by gk

Replying to cypherpunks:

Previously, you closed tickets only after bumping NoScript. However, this particular bump brings back high CPU consumption on different websites :(

Thanks! That's an excellent idea. I bumped the NoScript version in commit dd665cd95f680d7a8232220abad3cd1c623fbd66 on maint-8.5 and commit 9c03e532c542eb9f01399d39fb39d9fede00e705 on master.

Please file a new ticket for the high CPU consumption with steps to reproduce, thanks!

Note: See TracTickets for help on using tickets.