Opened 5 months ago

Closed 3 months ago

#29969 closed defect (fixed)

Drag-and-drop search causes NoScript XSS warning

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript, TorBrowserTeam201905R
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Select some text and drag it onto the current tab or new tab to create a search.

Example warning:

NoScript detected a potential Cross-Site Scripting attack

from https://trac.torproject.org to https://duckduckgo.com.

Suspicious data:

(POST)

Child Tickets

Change History (16)

comment:1 Changed 5 months ago by arma

I just noticed this ticket, and confirmed that indeed the behavior does happen as described.

It looks like the intended behavior from the browser is that whatever text I drop into a tab should turn into a new search (using the default search engine).

I wonder what is triggering the noscript complaint... cross-site from where?

comment:2 Changed 5 months ago by gk

Cc: ma1 added
Keywords: noscript TorBrowserTeam201904 added

That's a fallout from working around https://bugzilla.mozilla.org/show_bug.cgi?id=1532530 I guess (see: #29733 for details). We'll pick the fix for that bug up with the next release and then Giorgio can remove the workaround causing this bug in NoScript. I'll leave this bug open for tracking our inclusion of that new NoScript version (which should fix this issue then).

comment:3 Changed 4 months ago by gk

Cherry-picked the fix for bug 1532530 onto tor-browser-60.6.1esr-8.5-1 (commit 30a070eefe4c881a1804690b8983db2911c2c99b) so we get it into Tor Browser 8.5.

comment:4 Changed 4 months ago by gk

Keywords: TorBrowserTeam201905 added; TorBrowserTeam201904 removed

Moving tickets to May

comment:5 Changed 3 months ago by gk

ma1: We'll get a new Tor Browser out next week with the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530. Could you prepare a NoScript release without the workaround that is causing so many false positive XSS popup warnings? Thanks!

comment:6 in reply to:  5 Changed 3 months ago by ma1

Replying to gk:

ma1: We'll get a new Tor Browser out next week with the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530. Could you prepare a NoScript release without the workaround that is causing so many false positive XSS popup warnings? Thanks!

Of course, thanks for the heads up. Would a NoScript release on Wednesday work for you?

comment:7 Changed 3 months ago by gk

Yes, that's perfectly fine, thanks.

comment:8 in reply to:  7 ; Changed 3 months ago by ma1

Replying to gk:

Yes, that's perfectly fine, thanks.

Sorry, I'm confused: did you already release yesterday after all?
Which buildID should I look for the fix? >= "20190416010130" (per https://bugzilla.mozilla.org/show_bug.cgi?id=1532530#c19 ) or something else (the 8.5 I've just been updated to has buildID="20190307010101")?
And I've just noticed https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/getBrowserInfo now exposes an isTorBrowser info property, apparently because of us (look at the "reference" link). Since when (not in 8.5 yet, apparently)?

Last edited 3 months ago by ma1 (previous) (diff)

comment:9 in reply to:  8 Changed 3 months ago by ma1

Replying to ma1:

Which buildID should I look for the fix? >= "20190416010130" (per https://bugzilla.mozilla.org/show_bug.cgi?id=1532530#c19 ) or something else (the 8.5 I've just been updated to has buildID="20190307010101")?

OK, I'll assume anybody on with an up-to-date browser don't need the work around anymore, and to hell the others. Removing it unconditionally...

comment:12 in reply to:  8 Changed 3 months ago by gk

Replying to ma1:

Replying to gk:

Yes, that's perfectly fine, thanks.

Sorry, I'm confused: did you already release yesterday after all?
Which buildID should I look for the fix? >= "20190416010130" (per https://bugzilla.mozilla.org/show_bug.cgi?id=1532530#c19 ) or something else (the 8.5 I've just been updated to has buildID="20190307010101")?
And I've just noticed https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/getBrowserInfo now exposes an isTorBrowser info property, apparently because of us (look at the "reference" link). Since when (not in 8.5 yet, apparently)?

We have a different buildID due to our reproducible builds. So, yes 8.5 is the one that needs to get out and that got out. The isTorBrowser property was wrong on MDN. Someone just added that to the wiki. Thanks for tjr for correcting that.

comment:13 Changed 3 months ago by gk

Keywords: TorBrowserTeam201905R added; TorBrowserTeam201905 removed
Status: newneeds_review

okay, this works for me. bug_29969 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_29969&id=ffc98d9108cc6b420ec4cd17de475631013eecfe) has a fix for this bug (by bumping NoScript) for review.

comment:14 Changed 3 months ago by cypherpunks

Bump to RC on master?

comment:15 Changed 3 months ago by acat

Looks good to me.

comment:16 Changed 3 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Cherry-picked to master (commit db1ff5cb84595c0b9299d8326bc565517f926511) and maint-8.5 (commit d2c1d1718bbaf892536c5fad371b46ef7acc2555).

Note: See TracTickets for help on using tickets.