Opened 8 weeks ago

Last modified 7 weeks ago

#29646 new defect

NoScript XSS user choices are persisted

Reported by: atac Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak xss noscriptm tbb-newnym
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Whenever user chooses 'Always allow' or 'Always block' in one of the NoScript XSS popups the setting is persisted in storage-sync.sqlite file and this is never cleared on browser startup as the rest of NoScript preferences.

The full persisted object can be inspected via about:debugging -> Debug Noscript -> browser.storage.sync.get('xssUserChoices').

I understand this is not intended behaviour, since NoScript default is to not persist user choices (clearing them up on browser start).

Child Tickets

Change History (1)

comment:1 Changed 7 weeks ago by gk

Keywords: noscriptm tbb-newnym added; noscript removed

One could actually argue that it's exactly behaving as expected: You said *always*, now you get always (while just simply allowing/blocking would be session-wide (Or maybe it's bound to the domain? I have not checked)).

That persists over New Identity, which is definitely a bug. But I am not sure what the best solution for the disk persistence would be. Just not offering those two options on the dialog? Or maybe we should just disable NoScript's XSS protections altogether given that it causes bugs like #29647 and #22362?

Note: See TracTickets for help on using tickets.