Removed work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530 (see https://trac.torproject.org/projects/tor/ticket/29969#comment:9).

2019-05-22 18:26:05 +02:00 · 2019-05-22 18:26:05 +02:00 · 0eb42450d4
parent c84673b110
commit 0eb42450d4
22 changed files with 9 additions and 238 deletions
--- a/src/_locales/br/messages.json
+++ b/src/_locales/br/messages.json
@ -359,18 +359,6 @@
        "message": "Treuzfurmiñ ar rekedoù POST dreuz-lec'hiennoù e-barzh rekedoù GET diroadenn",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Skanañ an uskargadennoù evit diguzhañ tagadennoù etre lec'hienn a c'hall bezañ",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Goulenn kadarnaat ar goulennoù POST etre-lec'hienn n'o deus ket gallet bezañ skanet",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Ar goulenn etre-lec'hienn-mañ n'hall ket bezañ skanet evit an XSS.\nGellout a ra bezañ un hanter-dra, met NoScript n'hall ket touiñ en un doare sur. Aotreit an dra-se m'ho peus fiziañs e-barzh an div lec'hienn, hepken.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Erlec'hiañ rak-arventennoù live surentez ar Merdeer Tor",
        "description": ""
@ -911,4 +899,4 @@
        "message": "v $1",
        "description": ""
    }
-}
+}
--- a/src/_locales/ca/messages.json
+++ b/src/_locales/ca/messages.json
@ -359,18 +359,6 @@
        "message": "Converteix sol·licituds «POST» entre llocs en sol·licituds «GET» sense dades",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Escaneja les pujades per a possibles atacs entre llocs",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Solicita confirmació de sol·licituds POST entre llocs que no s'han pogut analitzar.",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "No s'ha pogut escanejar aquesta sol·licitud entre llocs per a XSS.\nPot ser que sigui innocu, però el NoScript no pot dir-ho amb seguretat. Permeteu-ho només si confieu en els dos llocs.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Anul·la el nivell de seguretat del navegador Tor",
        "description": ""
--- a/src/_locales/de/messages.json
+++ b/src/_locales/de/messages.json
@ -359,18 +359,6 @@
        "message": "Webseitenübergreifende POST-Anfragen in datenlose GET-Anfragen umwandeln",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Uploads auf potenzielle webseitenübergreifende Angriffe überprüfen",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Rückfrage bei webseitenübergreifenden POST-Anfragen, die nicht überprüft werden konnten",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Diese webseitenübergreifende Anfrage konnte nicht auf XSS überprüft werden.\nSie könnte harmlos sein, aber NoScript kann das nicht sicher feststellen. Nur zulassen, wenn Sie beiden Webseiten vertrauen.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Die Sicherheitsstufe des Tor Browsers übersteuern",
        "description": ""
--- a/src/_locales/el/messages.json
+++ b/src/_locales/el/messages.json
@ -359,18 +359,6 @@
        "message": "Turn cross-site POST requests into data-less GET requests",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Scan uploads for potential cross-site attacks",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Ask confirmation for cross-site POST requests which could not be scanned",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "This cross-site request could not be scanned for XSS.\nIt might be innocuous, but NoScript cannot tell for sure. Allow only if you trust both sites.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Override Tor Browser's Security Level preset",
        "description": ""
--- a/src/_locales/en/messages.json
+++ b/src/_locales/en/messages.json
@ -270,15 +270,6 @@
  "OptFilterXPost": {
    "message": "Turn cross-site POST requests into data-less GET requests"
  },
-  "OptScanXUpload": {
-    "message": "Scan uploads for potential cross-site attacks"
-  },
-  "OptBlockUnscannedXPost": {
-    "message": "Ask confirmation for cross-site POST requests which could not be scanned"
-  },
-  "UnscannedXPost": {
-    "message": "This cross-site request could not be scanned for XSS.\nIt might be innocuous, but NoScript cannot tell for sure. Allow only if you trust both sites."
-  },
  "OptOverrideTorBrowserPolicy": {
    "message": "Override Tor Browser's Security Level preset"
  },
--- a/src/_locales/es/messages.json
+++ b/src/_locales/es/messages.json
@ -359,18 +359,6 @@
        "message": "Convertir peticiones POST de sitios entrecruzados en peticiones GET sin datos",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Escanear subidas por potenciales ataques de sitios cruzados",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Preguntar por confirmación de solicitudes POST de sitio cruzado que no pudieron ser escaneadas.",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Esta solicitud de sitio cruzado no pudo ser escaneada por XSS.\nPodría ser inocua, pero NoScript no puede afirmarlo. Permítela solamente si confías en ambos sitios.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Sobreponer al Nivel de Seguridad predeterminado del Navegador Tor",
        "description": ""
--- a/src/_locales/fr/messages.json
+++ b/src/_locales/fr/messages.json
@ -359,18 +359,6 @@
        "message": "Transformer les requêtes POST intersites en requêtes GET sans données",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Chercher des attaques potentielles par script intersites dans les téléversements",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Demander une confirmation pour les requêtes POST intersites qui n’ont pas pu être analysées",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "La recherche de scripts intersites n’a pas pu être effectuée pour cette requête intersites.\nElle pourrait être inoffensive, mais NoScript ne peut pas en être certain. Ne l’autorisez que si vous faites confiance aux deux sites.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Remplacer le préréglage du niveau de sécurité du Navigateur Tor",
        "description": ""
--- a/src/_locales/he/messages.json
+++ b/src/_locales/he/messages.json
@ -359,18 +359,6 @@
        "message": "הפוך בקשות POST חוצות־אתרים אל בקשות GET מופחתות־נתונים",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "סרוק העלאות עבור מתקפות חוצות־אתרים פוטנציאליות",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "בקש אימות עבור בקשות POST חוצות־אתרים שאינן יכולות להיסרק",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "בקשת חוצת־אתרים זו לא יכלה להיסרק עבור XSS.\nהיא עשויה להיות בלתי־מזיקה, אבל NoScript אינו יכול לדעת בוודאות. התר רק אם אתה בוטח בשני האתרים.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "דרוס הגדרה של רמת אבטחה של דפדפן Tor",
        "description": ""
--- a/src/_locales/it/messages.json
+++ b/src/_locales/it/messages.json
@ -359,18 +359,6 @@
        "message": "Trasforma le richieste POST cross-site in richieste GET",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Ispeziona gli upload cercando potenziali attacchi XSS",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Chiedi conferma per gli upload potenzialmente pericolosi che non si sono potuti ispezionare",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "NoScript non ha potuto ispezionare questo caricamento da un sito ad un'altro. \nPotrebbe essere innocuo, ma NoScript non può assicurarlo con certezza.\nPermettilo solo se ti fidi di entrambi i siti.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Fai prevalere le mie impostazioni sul \"Livello di Sicurezza\" del Tor Browser",
        "description": ""
@ -911,4 +899,4 @@
        "message": "v $1",
        "description": ""
    }
-}
+}
--- a/src/_locales/ms/messages.json
+++ b/src/_locales/ms/messages.json
@ -359,19 +359,7 @@
        "message": "Ubah permohonan HANTARAN laman-silang menjadi pemohonan GET kurang-data",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Imbas muat naik bagi serang laman-silang yang berpotensi",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Tanya pengesahan untuk permohonan HANTARAN laman-silang yang tidak diimbas",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Pemohonan laman-silang ini tidak diimbas bagi XSS.\nIa mungkin tidak merbahaya, tetapi NoScript tidak pasti berkenaannya. Hanya beri kebenaran sekiranya anda benar-benar mempercayai kedua-dua laman.",
-        "description": ""
-    },
-    "OptOverrideTorBrowserPolicy": {
+        "OptOverrideTorBrowserPolicy": {
        "message": "Batalkan praset Aras Keselamatan Pelayar Tor",
        "description": ""
    },
--- a/src/_locales/nb/messages.json
+++ b/src/_locales/nb/messages.json
@ -359,18 +359,6 @@
        "message": "Gjør mellomsidige POST-forespørsler til mindre datakrevende GET-forepørsler",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Scan uploads for potential cross-site attacks",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Ask confirmation for cross-site POST requests which could not be scanned",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "This cross-site request could not be scanned for XSS.\nIt might be innocuous, but NoScript cannot tell for sure. Allow only if you trust both sites.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Override Tor Browser's Security Level preset",
        "description": ""
@ -911,4 +899,4 @@
        "message": "v $1",
        "description": ""
    }
-}
+}
--- a/src/_locales/nl/messages.json
+++ b/src/_locales/nl/messages.json
@ -359,18 +359,6 @@
        "message": "Cross-site-POST-aanvragen omzetten naar gegevensarme GET-aanvragen",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Uploads scannen op potentiële cross-site-aanvallen",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Bevestiging vragen voor cross-site-POST-aanvragen die niet konden worden gescand",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Deze cross-site-aanvraag kon niet op XSS worden gescand.\nDit kan onschuldig zijn, maar NoScript weet het niet zeker. Sta dit alleen toe als u beide websites vertrouwt.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Voorkeuze van beveiligingsniveau van Tor Browser negeren",
        "description": ""
--- a/src/_locales/pt_BR/messages.json
+++ b/src/_locales/pt_BR/messages.json
@ -359,18 +359,6 @@
        "message": "Transformar solicitações POST entre sites em solicitações GET sem dados",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Scan uploads for potential cross-site attacks",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Ask confirmation for cross-site POST requests which could not be scanned",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "This cross-site request could not be scanned for XSS.\nIt might be innocuous, but NoScript cannot tell for sure. Allow only if you trust both sites.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Override Tor Browser's Security Level preset",
        "description": ""
--- a/src/_locales/ru/messages.json
+++ b/src/_locales/ru/messages.json
@ -359,18 +359,6 @@
        "message": "Заменять межсайтовые POST-запросы на GET-запросы без данных",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Сканирование загрузок на предмет возможных межсайтовых атак",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Спрашивать подтверждение для межсайтовых POST-запросов, которые не могут быть просканированы",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Этот межсайтовый запрос не может быть просканирован на наличие XSS.\nОн может быть безвредным, но NoScript не может определить точно.\nРазрешайте, только если доверяете обоим сайтам.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Переопределить заданный уровень безопасности Tor Browser’а",
        "description": ""
--- a/src/_locales/sv_SE/messages.json
+++ b/src/_locales/sv_SE/messages.json
@ -359,18 +359,6 @@
        "message": "Förvandla webbplatsöverskridande POST-förfrågningar till mindre-data GET-förfrågningar",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Scan uploads for potential cross-site attacks",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Ask confirmation for cross-site POST requests which could not be scanned",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "This cross-site request could not be scanned for XSS.\nIt might be innocuous, but NoScript cannot tell for sure. Allow only if you trust both sites.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Override Tor Browser's Security Level preset",
        "description": ""
@ -911,4 +899,4 @@
        "message": "v $1",
        "description": ""
    }
-}
+}
--- a/src/_locales/tr/messages.json
+++ b/src/_locales/tr/messages.json
@ -359,18 +359,6 @@
        "message": "Siteler arası POST istekleri veriden arındırılmış GET isteklerine dönüştürülsün",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Yüklenen dosyalar olası siteler arası saldırılara karşı taransın",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Taranamayan siteler arası POST istekleri için onay istensin",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "Bu siteler arası istek XSS saldırılarına karşı taranamadı.\nZararsız olabilir ancak NoScript kesin olarak bir şey söyleyemiyor. Ancak her iki siteye de güveniyorsanız onaylayın.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Tor Browser Güvenlik Duvarı ayarı değiştirilsin",
        "description": ""
@ -911,4 +899,4 @@
        "message": "v $1",
        "description": ""
    }
-}
+}
--- a/src/_locales/zh_CN/messages.json
+++ b/src/_locales/zh_CN/messages.json
@ -359,18 +359,6 @@
        "message": "将跨网站的 POST 请求转换为无数据的 GET 请求",
        "description": ""
    },
-    "OptScanXUpload": {
-        "message": "Scan uploads for potential cross-site attacks",
-        "description": ""
-    },
-    "OptBlockUnscannedXPost": {
-        "message": "Ask confirmation for cross-site POST requests which could not be scanned",
-        "description": ""
-    },
-    "UnscannedXPost": {
-        "message": "This cross-site request could not be scanned for XSS.\nIt might be innocuous, but NoScript cannot tell for sure. Allow only if you trust both sites.",
-        "description": ""
-    },
    "OptOverrideTorBrowserPolicy": {
        "message": "Override Tor Browser's Security Level preset",
        "description": ""
@ -911,4 +899,4 @@
        "message": "v $1",
        "description": ""
    }
-}
+}
--- a/src/bg/Defaults.js
+++ b/src/bg/Defaults.js
@ -13,8 +13,6 @@ var Defaults = {
        global: false,
        xss: true,
        cascadeRestrictions : false,
-        xssScanRequestBody: true,
-        xssBlockUnscannedPOST: false,
        overrideTorBrowserPolicy: false, // note: Settings.update() on reset will flip this to true
        clearclick: true,
      }
--- a/src/bg/Settings.js
+++ b/src/bg/Settings.js
@ -113,8 +113,6 @@ var Settings = {
        },
        sync: {
          cascadeRestrictions: true,
-          xssScanRequestBody: false,
-          xssBlockUnscannedPOST: true,
        }
      }
      for (let [storage, prefs] of Object.entries(torBrowserSettings)) {
--- a/src/ui/options.html
+++ b/src/ui/options.html
@ -109,15 +109,6 @@
    <span id="xssFaq">(<a href="https://noscript.net/faq#xss" title="https://noscript.net/faq#xss">__MSG_XssFaq__</a>)</span>
  </span>
  <button id="btn-delete-xss-choices" disabled>__MSG_XSS_clearUserChoices__</button>
-  <br />
-  <span id="xssScanRequestBody-opt">
-    <input type="checkbox" id="opt-xssScanRequestBody">
-      <label for="opt-xssScanRequestBody" id="lbl-opt-xssScanRequestBody">__MSG_OptScanXUpload__</label>
-  </span>
-  <span id="xssBlockUnscannedPOST-opt">
-    <input type="checkbox" id="opt-xssBlockUnscannedPOST">
-      <label for="opt-xssBlockUnscannedPOST" id="lbl-opt-xssBlockUnscannedPOST">__MSG_OptBlockUnscannedXPost__</label>
-  </span>
  </div>
  <div id="clearclick-options" class="opt-group">
  <input type="checkbox" id="opt-clearclick"><label for="opt-clearclick" id="lbl-clearclick">ClearClick</label>
--- a/src/ui/options.js
+++ b/src/ui/options.js
@ -35,8 +35,6 @@
  opt("cascadeRestrictions");

  opt("xss");
-  opt("xssScanRequestBody");
-  opt("xssBlockUnscannedPOST");

  opt("overrideTorBrowserPolicy");

--- a/src/xss/XSS.js
+++ b/src/xss/XSS.js
@ -116,12 +116,6 @@ var XSS = (() => {
      if (!UA.isMozilla) return; // async webRequest is supported on Mozilla only

      let {onBeforeRequest} = browser.webRequest;
-      let  {xssScanRequestBody} = ns.sync;
-      if (xssScanRequestBody !== this.xssScanRequestBody) {
-        this.stop();
-        this.xssScanRequestBody = xssScanRequestBody;
-      }
-      this.xssBlockUnscannedPOST = ns.sync.xssBlockUnscannedPOST;

      if (onBeforeRequest.hasListener(requestListener)) return;

@ -144,9 +138,7 @@ var XSS = (() => {
      onBeforeRequest.addListener(requestListener, {
        urls: ["*://*/*"],
        types: ["main_frame", "sub_frame", "object"]
-      },
-        // work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
-        xssScanRequestBody ? ["blocking", "requestBody"] : ["blocking"]);
+      }, ["blocking", "requestBody"]);
    },

    stop() {
@ -247,13 +239,8 @@ var XSS = (() => {
      ic.reset();

      let postInjection = xssReq.isPost &&
-       (XSS.xssScanRequestBody ?
          request.requestBody && request.requestBody.formData &&
-            ic.checkPost(request.requestBody.formData, skipParams)
-        : XSS.xssBlockUnscannedPOST &&
-          (request.originUrl || request.documentUrl) && // exclude non-document POSTs, such as url bar searches
-          ns.requestCan(request, "script") && ("\n" + _("UnscannedXPost"))
-      );
+          ic.checkPost(request.requestBody.formData, skipParams);

      let protectName = ic.nameAssignment;
      let urlInjection = ic.checkUrl(destUrl, skipRx);