[tbb-dev] Firefox/NoScript bug with major downstream effects

Erik Moeller erik at freedom.press
Thu Mar 7 05:26:54 UTC 2019


Dear TBB developers,

I wanted to make sure you've seen this issue regarding uploads and
NoScript's "Sanitize cross-site suspicious requests" option:

https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
https://github.com/hackademix/noscript/issues/64
https://github.com/freedomofpress/securedrop/issues/4078
https://github.com/micahflee/onionshare/issues/899

As far as we've been able to tell, this option, which is enabled by
default and intended to guard against XSS attacks, is causing large
uploads in non-JS upload forms to break intermittently. This may
ultimately be due to a bug in Firefox itself (the first link).

The only reason the SecureDrop and OnionShare issues are closed is that
we've implemented ugly workaround instructions for now, and NoScript
considers it an upstream issue in Firefox.

Since this impacts Tor browser users much more than Firefox users,
perhaps some folks on this list may be able to help bring this to a
resolution. In any case, I wanted to flag it to this group given the
impact his issue is having.

Warmly,

Erik
-- 
Principal Project Manager
Freedom of the Press Foundation


More information about the tbb-dev mailing list