Bug 106139 - xQuartz download web page XSS blocked by noScript
Summary: xQuartz download web page XSS blocked by noScript
Alias: None
Product: XQuartz
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 2.7.11 (xserver-1.18.4)
Hardware: All Mac OS X (All)
: medium normal
Assignee: Jeremy Huddleston Sequoia
QA Contact: Jeremy Huddleston Sequoia
Depends on:
Reported: 2018-04-19 19:42 UTC by bh@cs.berkeley.edu
Modified: 2019-05-23 18:32 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description bh@cs.berkeley.edu 2018-04-19 19:42:35 UTC
When I visit https://www.xquartz.org/ I get a message from noScript saying that it blocked a cross-site scripting attempt.  If I don't allow the XSS, the "quick download" link doesn't work; it downloads a file with a long name full of digits and no extension.

At a minimum, the page should warn users that this will happen and that they should allow the XSS attempt.  Better would be to redesign the web page so that this doesn't happen.

Comment 1 Jeremy Huddleston Sequoia 2018-04-20 16:29:53 UTC

The quick downloads link is quite vanilla:

   <a href="https://dl.bintray.com/xquartz/downloads/XQuartz-2.7.11.dmg">

See https://github.com/XQuartz/xquartz.github.io/blob/master/index.html

There is no cross-stite scripting involved aside from Google analytics (which should be perfectly safe to neuter):
Comment 2 bh@cs.berkeley.edu 2018-04-20 16:58:16 UTC
Hi, Jeremy!

I thinkn the problem is actually happening at bintray.com.
Comment 3 GitLab Migration User 2019-05-23 18:32:30 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/804.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.