#29733: Disable NoSript XSS protection for now due to bug 1532530 --------------------------------------------+-------------------------- Reporter: gk | Owner: tbb-team Type: defect | Status: new Priority: Very High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: noscript, TorBrowserTeam201903 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------------+--------------------------
Comment (by eloquence): > What if I provide an option to just disable XSS injection checks on POST parameters (which would prevent the requestBody listener from being registered), and possibly another option to ask user confirmation for POST requests from JavaScript-disabled sites to TRUSTED ones, in order to mitigate the loss of protection? What will the default behavior in Tor be if, say, the user is attempting to upload to SecureDrop with JavaScript disabled? Would they get a scary confirmation dialog? It would be really good to avoid scary confirmation messages that make the user think that there is a security issue, when there really is not. (I realize this is now a NoScript issue again, feel free to point me to a corresponding issue if that's a better place to discuss. :) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:11> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs