#29733: Disable NoSript XSS protection for now due to bug 1532530 --------------------------------------------+-------------------------- Reporter: gk | Owner: tbb-team Type: defect | Status: closed Priority: Very High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: fixed Keywords: noscript, TorBrowserTeam201903 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------------+-------------------------- Changes (by gk):
* status: needs_information => closed * resolution: => fixed Comment: Replying to [comment:19 ma1]: > Replying to [comment:18 ma1]: > > Replying to [comment:17 gk]: > > > ma1: I tested 8.0.7 with 10.2.2 and realized that I am now seeing for any search request typed in the URL bar a scary XSS warning popup. That's very unfortunate as there is definitely no XSS involved if I type my search queries into the URL bar. Could you please fix that? > > > > Fixed in [https://github.com/hackademix/noscript/releases/tag/10.2.3rc2 NoScript 10.2.3rc2]. > > [https://github.com/hackademix/noscript/releases/tag/10.2.3 Now also in 10.2.3], in case you've got some "ship stable releases only" policy. Yes, thanks for that. I bumped the NoScript version to the latest stable one in commits fe57b321785474679b6adadcf769eb08dde28f76 and 37aa44ee2954bd99e9a53cf00cb4b474b86a07fb on `master` and in commit 378de243109024a80e841bfa47efcca5d7a5c18f on `maint-8.0` in our `tor- browser-build` repo. It's a bit unfortunate that there are now many more false positive popups disrupting the user experience. So we'll need to monitor this and re-think enabling XSS protections if we come to the conclusion that enabling them outweigh the usability penalties. (#29647 and above all #26847 come to mind here) Anyway, thanks Giorgio for the quick help! -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29733#comment:20> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs