#29646: NoScript XSS user choices are persisted -------------------------------------------------+------------------------- Reporter: atac | Owner: tbb- | team Type: defect | Status: new Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-disk-leak xss noscript tbb- | Actual Points: newnym ux-team | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by antonela): The best approach is the one which balance XSS warnings and usability. I have concerns about how users interact with the XSS warning screen. So, having another option available there will not solve this problem for the masses nor allow users to pick the safest option for them. That said if Tor Browser can keep that option across sessions, it will improve the overall experience for recurrent users visiting a website recurrently. Let's say I'm a user visiting foo.com and I got an XSS warning, I'm blocking requests because I want to be safe and I continue browsing in a half-loaded website. Maybe I can deal with that brokerage but be safe enough. That is the current Tor Browser users experience so far. As a damage reduction, having the option persistent per-session (block or allow) seems the best balance between risk and usability. If a user wants a website loading correctly (or choose to allow, say by accident :), and we have concerns about leaking, that will happen just in the current session. You may argue that this is not strictly related to security, but on users end it is. Maybe, it fits on something to consider for our security settings, where we should holistically balance security and usability across levels. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29646#comment:7> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs