[tbb-bugs] #29646 [Applications/Tor Browser]: NoScript XSS user choices are persisted
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 6 08:12:59 UTC 2019
#29646: NoScript XSS user choices are persisted
-------------------------------------------------+-------------------------
Reporter: atac | Owner: tbb-
| team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-disk-leak xss noscriptm tbb- | Actual Points:
newnym |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* keywords: tbb-disk-leak xss noscript => tbb-disk-leak xss noscriptm tbb-
newnym
Comment:
One could actually argue that it's exactly behaving as expected: You said
*always*, now you get always (while just simply allowing/blocking would be
session-wide (Or maybe it's bound to the domain? I have not checked)).
That persists over New Identity, which is definitely a bug. But I am not
sure what the best solution for the disk persistence would be. Just not
offering those two options on the dialog? Or maybe we should just disable
NoScript's XSS protections altogether given that it causes bugs like
#29647 and #22362?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29646#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list