XSS on YouTube

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: XSS on YouTube

Re: XSS on YouTube

by Thrawn » Tue Sep 24, 2013 10:19 pm

barbaz wrote:@redwolfe_98:
redwolfe_98 wrote:after reading the other posts, where people said that they were concerned about allowing XSS, i am leary of using the new built 2.6.8.1..


I think you can turn the exception off by going to about:config and setting noscript.filterXExceptions.yt_comments to false, see http://forums.informaction.com/viewtopic.php?p=48111#p48111

Also, Giorgio has already explained that he protected it from actual XSS, by filtering it to ensure that the exception only applies to requests coming from YouTube.

Re: XSS on YouTube

by barbaz » Tue Sep 24, 2013 8:09 pm

@redwolfe_98:
redwolfe_98 wrote:after reading the other posts, where people said that they were concerned about allowing XSS, i am leary of using the new built 2.6.8.1..


I think you can turn the exception off by going to about:config and setting noscript.filterXExceptions.yt_comments to false, see http://forums.informaction.com/viewtopic.php?p=48111#p48111

Re: XSS on YouTube

by redwolfe_98 » Tue Sep 24, 2013 2:57 pm

giorgio, you said for people to stop posting to this thread, however i want to say again that i am not experiencing the same problem with build 2.6.7.1 so i am wondering if the "problem" isn't being caused by some other addon that people are using, in addition to "noscript"..

after reading the other posts, where people said that they were concerned about allowing XSS, i am leary of using the new built 2.6.8.1..

also, if google caused the problem, with the way that they had the "youtube" setup, i am thinking that maybe they fixed the problem..

Re: XSS on YouTube

by Mastacheata » Sat Sep 21, 2013 3:04 pm

Giorgio Maone wrote:Please check latest development build 2.6.8rc1, thanks.

XSS notifications are gone (that part was ok with the manual exception rule as well) and the most important part: Navigating between different videos on youtube works again!
Thank you very much.

Re: XSS on YouTube

by Thrawn » Sat Sep 21, 2013 5:54 am

Giorgio Maone wrote:
Thrawn wrote:If we're going to have an XSS exception for this, then I'd recommend also having an ABE rule to protect it, since it may allow actual XSS.

It's a built-in exception which checks both the origin and the target, therefore it's equivalent to having a restrictive rule like the one you're proposing.

OK :)

Re: XSS on YouTube

by cartel » Sat Sep 21, 2013 1:09 am

Any updates on this?
I'm on Palemoon 24.01 and I tried
^https://plus\.googleapis\.com/_/im/_/widget/render/comments\?
^https://apis\.google\.com/u/0/_/widget/render/comments\?

But I still get the warning. What I'm also seeing is a blue drop down just like the warning bar that is blue and has some advertising text on it.
Its like a slide in on the top of the browser windows at Youtube

Thanks


edit
I found a image of the blue bar and how to remove it using adblock?

http://www.youtube.com/watch?v=TXenC_9VCiI

Re: XSS on YouTube

by Giorgio Maone » Fri Sep 20, 2013 11:26 pm

Thrawn wrote:If we're going to have an XSS exception for this, then I'd recommend also having an ABE rule to protect it, since it may allow actual XSS.

It's a built-in exception which checks both the origin and the target, therefore it's equivalent to having a restrictive rule like the one you're proposing.

Re: XSS on YouTube

by Thrawn » Fri Sep 20, 2013 10:29 pm

If we're going to have an XSS exception for this, then I'd recommend also having an ABE rule to protect it, since it may allow actual XSS.

Re: XSS on YouTube

by Giorgio Maone » Fri Sep 20, 2013 8:21 pm

Please check latest development build 2.6.8rc1, thanks.

Re: XSS on YouTube

by Giorgio Maone » Fri Sep 20, 2013 1:15 pm

For whoever missed it, a stopgap solution is here.
I'm gonna add a structural work-around in next version, now please stop adding to this thread unless the above doesn't work for you.

Re: XSS on YouTube

by Guest » Fri Sep 20, 2013 11:45 am

Hop! I got rid of the XSS warning when I tested the following edited command by adding it on Anti-XSS Protection Exceptions :o

^https?://(?:www\.)?(youtube\.com/)?

Re: XSS on YouTube

by Guest » Fri Sep 20, 2013 11:16 am

Using Firefox 20, two days ago I was testing this after hearing about it and couldn't reproduce it. At the time I noted down what Request Policy and Noscript was blocking. Here is the list on Sep 18:
Request Policy
    google.com
    googleusercontent.com
    gstatic.com
Noscript
    apis.google.com

Still on FX20, today(Sep 20) I tried again and still couldn't reproduce it, however I found a few additional site that Request Policy and Noscript is blocking. The new sites are in addition to the list above:
Request Policy
    youtube-nocookie.com
    googlesyndication.com
    googletagservices.com
Noscript
    googlesyndication.com
    googletagservices.com

I allowed googlesyndication.com and googletagservices.com in both Request Policy and Noscript but again couldn't reproduce it.

If it may help, I've never allowed cookies on youtube.com, and this is the first time I've encountered youtube-nocookie.com.

Re: XSS on YouTube

by Guest » Fri Sep 20, 2013 10:48 am

The warning also shows up on Firefox 20.

Re: XSS on YouTube

by redwolfe_98 » Fri Sep 20, 2013 6:33 am

Giorgio Maone wrote:I couldn't reproduce it

i am not experiencing the problem, either..

Re: XSS on YouTube

by anonymoususer » Fri Sep 20, 2013 4:30 am

I confirm this is affecting me aswell I just updated to firefox 24.0 - mozilla firefox for linux mint 1.0. After this update I am having cross site scripting warnings everytime i click on any video on youtube. I assume that this is just an error due to changes in code on firefox's end not being compatible with noscript, but you can never be sure. I am not so much into programming as much as I am into personal security so I don't want to take chances and edit the config like suggested below. I would feel much more safe if noscript support would push out an update or give an official fix to this problem from an admin on this board. I am not going to ever get rid of noscript but I hope this issue can get resolved soon. Thanks for all the help and I love Noscript please keep up the great work.

Some Infos:

Linux Mint 15 x64
firefox 24.0 - for linux mint 1.0
many addons installed including ghostery, noscript, adblock plus, and adblock plus pop-up addon mostly as browser security.

Hope this helps!

Top