by Pansa » Fri Nov 24, 2017 10:43 pm
barbaz wrote:Pansa wrote: it also means you gave [...] script permissions to begin with, because if it weren't allowed to run scripts, it wouldn't be allowed to cross-script to begin with.
Nope, XSS can happen without the malicious site being Allowed. IIRC NoScript Classic actually uses a stricter XSS filter for requests originating from untrusted sites, than for requests originating from trusted sites.
See "link" for a short explanation of what XSS is.
Err, no, just about every site uses javascript from another domain and it's not an attack situation. XSS is when a malicious site injects its Javascript code into another site, e g your bank, and your bank site then runs the malicious code in its own context, i.e. as though the malicious site's injected code were part of the bank site's own code. Your browser is the vector for this injection.
That is exactly what I mean.
In that example if I block the Bank's scripts, there shouldn't be an attack to begin with. It runs in the Bank's context. If I allow the bank, the attack is that I inadvertently allow someone else who injected something.
he wrote
from [...] to storm
I assume the [...] means a site he is not comfortable disclosing here.
I checked on imdb (which uses xss to call it's advertising network *hmpf*)
And the XSS warning comes up although I have BOTH on untrusted (for testing).
My question is why is NS warning me of something running in the imdb context, if I explicitly don't want imdb to execute ANY scripts (injected or not)?
I assume that is pointing back to the missing noscript tag?
[quote="barbaz"][quote="Pansa"] it also means you gave [...] script permissions to begin with, because if it weren't allowed to run scripts, it wouldn't be allowed to cross-script to begin with.[/quote]
Nope, XSS can happen without the malicious site being Allowed. IIRC NoScript Classic actually uses a stricter XSS filter for requests originating from untrusted sites, than for requests originating from trusted sites.
See "link" for a short explanation of what XSS is.[/quote]
[quote]
Err, no, just about every site uses javascript from another domain and it's not an attack situation. XSS is when a malicious site injects its Javascript code into another site, e g your bank, and your bank site then runs the malicious code in its own context, i.e. as though the malicious site's injected code were part of the bank site's own code. Your browser is the vector for this injection.
[/quote]
That is exactly what I mean.
In that example if I block the Bank's scripts, there shouldn't be an attack to begin with. It runs in the Bank's context. If I allow the bank, the attack is that I inadvertently allow someone else who injected something.
he wrote
[quote]from [...] to storm[/quote]
I assume the [...] means a site he is not comfortable disclosing here.
I checked on imdb (which uses xss to call it's advertising network *hmpf*)
And the XSS warning comes up although I have BOTH on untrusted (for testing).
My question is why is NS warning me of something running in the imdb context, if I explicitly don't want imdb to execute ANY scripts (injected or not)?
I assume that is pointing back to the missing noscript tag?