When I visit https://www.xquartz.org/ I get a message from noScript saying that it blocked a cross-site scripting attempt. If I don't allow the XSS, the "quick download" link doesn't work; it downloads a file with a long name full of digits and no extension. At a minimum, the page should warn users that this will happen and that they should allow the XSS attempt. Better would be to redesign the web page so that this doesn't happen. Thanks.
Curious. The quick downloads link is quite vanilla: <a href="https://dl.bintray.com/xquartz/downloads/XQuartz-2.7.11.dmg"> See https://github.com/XQuartz/xquartz.github.io/blob/master/index.html There is no cross-stite scripting involved aside from Google analytics (which should be perfectly safe to neuter): https://github.com/XQuartz/xquartz.github.io/blob/master/_includes/google_analytics.html
Hi, Jeremy! I thinkn the problem is actually happening at bintray.com.
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/804.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.