Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#29872 closed defect (fixed)

Searching from about:tor cause a NoScript XSS warning popup

Reported by: boklm Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201903
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Using the duckduckgo search box on the about:tor page is causing a NoScript XSS warning window to open.

Child Tickets

Attachments (1)

ddg.png (21.4 KB) - added by cypherpunks 7 months ago.
screenshot

Download all attachments as: .zip

Change History (8)

comment:1 Changed 7 months ago by gk

Status: newneeds_information

What NoScript version are you using? It works for me with NoSCript 10.2.4.

comment:2 Changed 7 months ago by boklm

I'm using Tor Browser 8.0.8 with NoScript 10.2.4.

Are you trying with the search box on the about:tor page (not the one near the URL bar)?

comment:3 Changed 7 months ago by cypherpunks

Testing here with 8.5a9 and 10.2.4, except the Safest security setting, I can confirm the warning window popping up

Changed 7 months ago by cypherpunks

Attachment: ddg.png added

screenshot

comment:4 Changed 7 months ago by ma1

OK, I can see it. It's when you use the search box inside the page, not the one(s) in the browser UI, which are exempt by the XSS filter fallback warning on every cross-site POST request I had to introduce for POST scanning being disabled due to https://bugzilla.mozilla.org/show_bug.cgi?id=1532530.
I'm trying to add a further exception for about:tor, but the real solution would be the aforementioned Mozilla bug (which already has a patch attached) being fixed, of course.

comment:5 Changed 7 months ago by ma1

Owner: changed from tbb-team to gk
Status: needs_informationassigned

Fixed in 10.2.5, thanks.

comment:6 in reply to:  5 ; Changed 7 months ago by gk

Resolution: fixed
Status: assignedclosed

Replying to ma1:

Fixed in 10.2.5, thanks.

Thanks. This fixes the problem for me. Pushed to master (commit aac31f8aa81a76cd33e0bfd1de2294db4ee79c1c) and maint-8.0 (commit a9c6707fcf44fa22e7e9cd806b3d3b11677e87ae) in our tor-browser-build repo.

ma1: Once the right fix on Mozilla's side landed I'll open a ticket to track the backport if necessary. We'll ship the next releases with that fix (either we got Mozilla to backport the fix to esr60 or we do it ourselves). Once that's done you can remove all the workarounds on your side and we are back at the status quo ante. :)

Thanks for helping us here.

comment:7 in reply to:  6 Changed 7 months ago by ma1

Replying to gk:

ma1: Once the right fix on Mozilla's side landed

It has, half an hour ago. I had already told :robwu that a backport to ESR is very needed for the Tor Browser, but a push from your side won't harm ;)

Note: See TracTickets for help on using tickets.