Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #26847

Closed (moved)
Open
Opened Jul 17, 2018 by Roger Dingledine@arma

Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting

When I go to certain sites in the Tor Browser 8.0, I get a new window popping up, which is the same size as my current browser window, which looks like it comes from noscript. It says "NoScript XSS Warning" at the top, and the window title is moz-extension://4536b558-.... NoScript XSS Warning", and there's a bit of text towards the top that says



NoScript detected a potential Cross-Site Scripting attack

from http://www.espn.com to https://8397396.fls.doubleclick.net.

Suspicious data:

(URL) https://8397396.fls.doubleclick.net/activityi;src=8397396;type=espng0;cat=espna0;u1=http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback;u2=[s.products];u3=[c.promocode];u4=[payment method];u5=[c.SWID];u6=[c.UNID];u7=[c.NavMethod];u8=[Trial/Monthly/Annual];dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=9016327828417.457?

and towards the bottom I have the options to block, always block, allow, always allow, and then an ok button.

The example url in this case was http://www.espn.com/mlb/story/_/id/24116616/mlb-bryce-harper-brings-house-epic-derby-comeback

(I've noticed the behavior happens pretty consistently with espn urls.)

I'm not sure quite what behavior I would expect instead, but "making a new huge window that's mostly whitespace and that prevents me from doing anything on any tab until I've made the window go away" was not it. :)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#26847