Page 1 of 1
[RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Mon Aug 16, 2021 1:23 pm
by aliphapet
Hi There,
You can see full details reported to TorProject:
https://gitlab.torproject.org/tpo/appli ... sues/40596
ThX!
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Wed Aug 18, 2021 4:11 pm
by therube
(I'll just note that in FF [not Tor] 78ESR & 91, I can get high CPU [that does subside after a bit], but I don't see XSS nor do I crash.
Win7 x64.)
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Wed Aug 18, 2021 9:44 pm
by Giorgio Maone
I can see what's happening there: the page has 152 <noscript> elements, 56 of which contain distinct Youtube iframes which get therefore scanned for XSS attempts all together, DOSing the browser.
If you either disable the noscript capability for 3mdeb.com or the frame capability for youtube.com the page should load almost instantaneously with no warning.
I should probably look into some form of rate limiting or serialization of the injection checker for edge case like this.
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Sun May 22, 2022 2:24 pm
by security-alert
Any news on this issue? I can see it still happening until this day.
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Tue May 24, 2022 10:24 pm
by Giorgio Maone
Could you please check
latest development build? Thanks.
v 11.4.6rc1
============================================================
x [XSS] Correct for concurrency in timeout checks
x [UI] Flatter preset appearance
x [UI] Focus visual feedback adjustments
x Inclusion-time TLD updates
x Updated HTML events
x [L10n] Updated pl
x Opaque white for vintage lock icons
x [L10n] Updated is
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Thu May 26, 2022 9:51 pm
by security-alert
Could you please check latest development build? Thanks.
v 11.4.6rc1
Yes works great!, Thank You
Btw forums doesnt send notifications not through email nor internally (within the forum), Also reset password doesnt work (no reply).. So i just wanted to let you know so hopefully can be fixed or so.
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Thu May 26, 2022 10:36 pm
by barbaz_logged_out
security-alert wrote: ↑Thu May 26, 2022 9:51 pm
Btw forums doesnt send notifications not through email nor internally (within the forum), Also reset password doesnt work (no reply).. So i just wanted to let you know so hopefully can be fixed or so.
???
Ok, I'm testing subscribing to this topic, let's see if I get notified of this reply...
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Thu May 26, 2022 10:38 pm
by barbaz
Email notification came instantly for me. EDIT Board-internal notification is also there. /EDIT
Check your settings in
ucp.php?i=ucp_notifications&mode=notification_options and that you are indeed subscribed to this topic?
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Thu Jun 02, 2022 3:28 am
by security-alert
> and that you are indeed subscribed to this topic?
Ah i should subscribe manually to the topics? i didnt know this thought its automatic as long as the topic created by me. (which is my first account which is sadly i dont know why i cant login to it anymore..)
My notifications for internal and email are enabled, But yeah about topic subscription that didnt check.
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Thu Jun 02, 2022 3:31 am
by security-alert
You can mark this ticket as fixed.
Re: [RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript
Posted: Tue Jun 07, 2022 1:27 pm
by arabflavor
Worked for me as well. Thanks. And yes you have to be subscribed to the topic in order to receive notifications. I did not know it either.