[tbb-bugs] #29646 [Applications/Tor Browser]: NoScript XSS user choices are persisted
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 19 15:03:14 UTC 2019
#29646: NoScript XSS user choices are persisted
-------------------------------------------------+-------------------------
Reporter: atac | Owner: tbb-
| team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-disk-leak xss noscript tbb- | Actual Points:
newnym ux-team |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by antonela):
The best approach is the one which balance XSS warnings and usability. I
have concerns about how users interact with the XSS warning screen. So,
having another option available there will not solve this problem for the
masses nor allow users to pick the safest option for them.
That said if Tor Browser can keep that option across sessions, it will
improve the overall experience for recurrent users visiting a website
recurrently. Let's say I'm a user visiting foo.com and I got an XSS
warning, I'm blocking requests because I want to be safe and I continue
browsing in a half-loaded website. Maybe I can deal with that brokerage
but be safe enough. That is the current Tor Browser users experience so
far.
As a damage reduction, having the option persistent per-session (block or
allow) seems the best balance between risk and usability. If a user wants
a website loading correctly (or choose to allow, say by accident :), and
we have concerns about leaking, that will happen just in the current
session.
You may argue that this is not strictly related to security, but on users
end it is. Maybe, it fits on something to consider for our security
settings, where we should holistically balance security and usability
across levels.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29646#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list