how to stop the XSS notifications (and block by default)

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: how to stop the XSS notifications (and block by default)

Re: how to stop the XSS notifications (and block by default)

by Bill Door » Thu May 09, 2019 11:40 am

Sorry to bring back a really old thread, but it has screenshots which make the point perfectly and I wanted to share a fix - to double-check it's safe to do this.

If anyone else is getting the "annoying pop-up" experience to the XSS notification.

Just this, over and over and over:
Kkat wrote: Fri Dec 08, 2017 4:06 pm Image
(picture borrowed from another thread)
I found the FAQ didn;t work because it doesn't match
Q: Can I turn off Anti-XSS activity notifications?
A: Yes, you can, just toggle the Noscript Options|Notifications|XSS preference.

So the option I've found that seems to work is this:

Click Advanced, and switch off the option “Ask confirmation for cross-site POST requests which could not be scanned”

This seems to stop the popups. But, is it safe? Advice welcome :)

Re: how to stop the XSS notifications (and block by default)

by brynn » Fri Dec 22, 2017 3:05 am

Thanks FranL. I did see the yellow menu, from time to time. But I'm not sure what I did to have it displayed. But more than that, I don't know what it's for, what the options mean or what they do. And therefore, no idea how to use them.

Well anyway, as I said I've already switched over to SeaMonkey. But hopefully my comments will help developers improve the program. I've been told these changes with Firefox 57 had been expected for some time. So I don't know why NS developers couldn't have NS working out of the gate. But by the time SeaMonkey is ready to use this version, maybe it will be fixed.

Thanks again for everyone's comments :)

Re: how to stop the XSS notifications (and block by default)

by FranL » Wed Dec 20, 2017 6:32 pm

brynn wrote:
In the DEFAULT setting (_none_ of the boxes ticked!), NS blocks everything, just as expected.
Well so far, I've only found 2 boxes to check -- allow all scripts (dangerous) and Sanitize XSS requests.
Just in case you are not aware of them, there are checkboxes for DEFAULT, TRUSTED, and CUSTOM that appear when you click on those labels:

Image

These checkboxes give you more granular control over what content each of these presets allows. Keep in mind that the DEFAULT and TRUSTED preset checkboxes are global — they affect every domain marked DEFAULT and TRUSTED. Only the CUSTOM checkboxes are specific to one domain.

Re: how to stop the XSS notifications (and block by default)

by drajitsh » Wed Dec 20, 2017 5:06 pm

Thank brynn for the past. I feel the same way but type hint & peck.

Re: how to stop the XSS notifications (and block by default)

by brynn » Wed Dec 20, 2017 4:03 pm

Hhmm, I had a nice long answer to this written the other day.....I must have forgotten to post it..... :lol:
In the DEFAULT setting (_none_ of the boxes ticked!), NS blocks everything, just as expected.
Well so far, I've only found 2 boxes to check -- allow all scripts (dangerous) and Sanitize XSS requests. I honestly can't remember whether I checked Sanitize XSS requests, or if it was already checked for me, when I first started the new Firefox (quantum).

Of course, I could uncheck Sanitize XSS, but wouldn't that mean they aren't being blocked at all? I want to block them silently, without a big notification where I have to check a box to get it out of the way.
No idea why this XSS warning would pop up with your settings on every single page as you seem to be suggesting.
No, not every page, every site.
So they were ALL set to DEFAULT, and I made sure (and still do so from time to time, since it happened _once_ to me that somehow the MEDIA box got ticked in the DEFAULT settings with me not intending it or doing it knowingly) that in this DEFAULT zone, none of the boxes were ticked!
I did the same thing. I deleted all the presets, and started fresh.

But I don't know what Media box you are talking about. I don't see anything labelled Media. What is that?
OK, that's my way of doing it, I am sure there are other ways, but I just wanted to tell you that NS works really well once you got the right settings and understand how to do so that it fits your individual needs.
Well in my opinion, the new NS is not intuitive and it takes WAY too much fumbling around and trying to learn by trial and error, what the settings are and what they do. I still haven't figure out a lot of it!

For example, it was happening many, many times for me, that I would click the toolbar icon to open the little menu (not Options), I would click for Temporary Permissions on individual domains (which by the way, now takes 2 clicks, instead of just one -- intuitive would be 1 click for temporary, and 2 clicks for trusted, but no, it's the other way around). Anyway I would set for trusted or temporary, and right before my eyes, it would reset itself to Default. No matter how many times I would set it for either Trusted or Temporarily Trusted, it would reset to Default. The only way I could get scripts working for a lot of sites, was to click the button for Temporarily Allow All.

That might seem to solve the problem, except for almost every website on the face of the web uses doubleclick.net advertising, and allowing all scripts allows those, and other advertising scripts! So now I have ads all over the place.

And then there were times when the Temporary Permission would not be revoked. I would click and click (either Revoke or Default) and they did not go back to default. It should not be surprising that these things were happening, due to the program not being intuitive and easy to use, and users having to click every button in site to try and make things work. So then I started using Untrusted, to get rid of those that would not revoke. But then that gets to be a problem the next time I visit the site and I have to un-Untrust them.

From an aesthetic point of view, can't we just have 4 or 5 individual buttons: Default, Trusted, Temporarily Trusted, Untrusted ? Instead of something that looks like a slidebar but works like buttons. It's like the program needs to make up it's mind whether it wants one or the other. And if it's buttons, make them separate and easy to understand at a glance.
Hope this helps! BTW, I guess it's your postings in the InkScape Forum that helped me a lot some time ago, so I felt I have to try to help you this time
Oh, that's very sweet! Thank you for trying to help. I really appreciate that you spoke up!

After the first couple of days with the quantum Firefox, and honestly, it was the difficulty with NS which pushed me over the line. If not for these problems, I probably could have found enough patience to figure out how to replace the 8 or 9 addons which were permanently removed, and keep using Firefox. But I felt like I was going to have to spend so much time re-learning Firefox (and plus, I often had the experience of Ff updates breaking this addon or that, and I was having to stop and deal with that about every 2nd update). So I decided it was time to move on. Now I'm set up with SeaMonkey, which is essentially like using older versions of Firefox, which I'm fine with. I've found replacements for the vast majority of my Ff addons, and perhaps best of all, it uses an older version of NS, which actually works like before quantum57..

Have you tried enabling the XSS blocking? If you try it, you'll see those oversized notifications on every site, and I'm sure you'll quickly become annoyed.

Re: how to stop the XSS notifications (and block by default)

by Mark123 » Thu Dec 14, 2017 3:40 pm

Brynn,
Re: XSS problems,
I forgot to ask you if you are using the latest NS version, since Giorgio obviously did a lot of XSS-related work in the latest versions, see version info here:
https://addons.mozilla.org/en-US/firefo ... /versions/

Re: how to stop the XSS notifications (and block by default)

by Mark123 » Thu Dec 14, 2017 3:18 pm

brynn wrote:Should we assume that there is no way to block them? That developers actually intend for users to have to deal with at least 1 or 2 alerts for every website visited?

So the only way to stop the notifications is to disable the protection. Right?
Hej Brynn,

There definitely must be something wrong with your settings, because the new NoScript is even better than the old one IMHO.
No problems whatsoever here with the latest versions of Firefox and NS, and with XSS, for that matter.

In the DEFAULT setting (_none_ of the boxes ticked!), NS blocks everything, just as expected.

If the contents of a site seem important to me and I realize that some are missing, I grant temporary permission via the CUSTOM settings.
If it is a site I know I'll be returning to oftentimes, I make these CUSTOM settings permanent by clicking on the watch so that it gets smaller and looks gray and not active.

I only work with DEFAULT (none of the boxes ticked!) and CUSTOM settings (either temporary or permanent permissions, depending on my needs).
I personally don't use the TRUSTED and UNTRUSTED settings, because with them, every single change you make will have impact GLOBALLY, but I prefer to grant permissions on an individual level. Much better fine-grained settings!

This way NS works really, really well for me. BTW, being a web designer I am a "power surfer" or whatever you might call it, and still I hardly ever encounter any XSS warnings. If I do so, I look at the message and grant or don't grant the permissions as need arises. If in doubt, I don't grant the permissions. Works perfectly so far, BTW in combination with the add-on "uBlock Origin" with DEFAULT settings and filters (just plug and play).
No idea why this XSS warning would pop up with your settings on every single page as you seem to be suggesting.

One thing that might have to do with it:
If you first (after installation) click on the big red NS settings icon in the NS menu, next to the green Reload button, to get to the OPTIONS page, there are about twenty or so presets, IIRC. FYI, I got them all out before starting with my own settings, by clicking on the leftmost button, i.e. DEFAULT button. So they were ALL set to DEFAULT, and I made sure (and still do so from time to time, since it happened _once_ to me that somehow the MEDIA box got ticked in the DEFAULT settings with me not intending it or doing it knowingly) that in this DEFAULT zone, none of the boxes were ticked!
Consequently, after a reload of the OPTIONS page or even after closing it and checking back, all these formerly preset sites have gone (on the options page, if you click on the DEFAULT button for a site, it will disappear from the options page after reload or closing this page) and you can start with your own CUSTOM settings and entries.

So, after a few weeks, I have several dozens of sites there with CUSTOM settings, and, with INDIVIDUAL settings, just as I want it to be.

OK, that's my way of doing it, I am sure there are other ways, but I just wanted to tell you that NS works really well once you got the right settings and understand how to do so that it fits your individual needs.

Hope this helps! BTW, I guess it's your postings in the InkScape Forum that helped me a lot some time ago, so I felt I have to try to help you this time :)

Re: how to stop the XSS notifications (and block by default)

by brynn » Thu Dec 14, 2017 1:02 pm

Should we assume that there is no way to block them? That developers actually intend for users to have to deal with at least 1 or 2 alerts for every website visited?

So the only way to stop the notifications is to disable the protection. Right?

Re: how to stop the XSS notifications (and block by default)

by anorman728 » Tue Dec 12, 2017 1:54 am

Just wanted to add support: It's definitely not blocking all scripts by default. The "default" action seems to be allowing most scripts. I'd really like this option added back in, personally. I mostly use NoScript to prevent seeing JavaScript vomit over news webpages. They're not actually malicious-- Just frustrating.

Re: how to stop the XSS notifications (and block by default)

by brynn » Mon Dec 11, 2017 7:52 am

Thrawn wrote:NoScript does block everything by default. What's making you think otherwise?
Sorry it took me so long to respond.

It's absolutely not blocking all scripts by default, because as soon as I got the Firefox upgrade (which contained the NS upgrade) I'm seeing advertisements all over the place. I thought my ad blocker was broken, until I realized that all the scripts (which run the ads) which had previously been blocked, were allowing them through. doubleclick.net seems to have been the main one getting through. But I've been avoiding browsing away from the sites I normally visit, so I expect there will be others (once I can stop the XSS notifications, so I can browse the internet without bother).

For the record, doubleclick was set for Default. But apparently Default means 'run the script', at least for doubleclick.net. Other scripts seem to be effectively blocked by the Default setting. But in any case, after I changed it to Untrusted, the ads all went away.

But that is a separate problem from the XSS notifcations on almost every site I visit. I see that several other people have been complaining about this too. But I don't see any proposed solutions.

As I noted in the op, the instructions for stopping them are no longer relevant. Please tell us how to stop them.

Thanks again :)

(Edit - I had written a small rant mentioning 5 or 6 other problems I'm having with NS. But that won't be productive for getting this XSS issue fixed. I'm sure other people will be posting about these other problems, in other threads.)

Re: how to stop the XSS notifications (and block by default)

by parry.lost » Fri Dec 08, 2017 11:07 pm

I have the same issue, especially on Tumblr blogs. Every visit prompts the same XSS message from NoScript to pop up many times -- and it keeps appearing without any regard for whether I selected "always block" or "always allow." It happens every single time I visit the site - and every visit I am left closing several of these NoScript dialogue boxes, which keep popping up even after I leave the site until I've gone through like 5-6 of them, if not more. It doesn't seem to matter at all what options I select, it just keeps popping up regardless. And as OP mentioned, with the redesign, I can't find the settings to turn off these dialogue boxes. Of course, I don't want to turn off XSS blocking entirely, I just want to set the particular sites I visit to either "always block" or "always allow" and never have to see the pop-up for these particular sites again. Or, at least, it would be nice if I only had to see it once every session, rather than having each visit to these sites result in a dozen of these boxes popping up... :P

Screenshot below of the NoScript dialogue box, as I browse a Tumblr blog

Image

Re: how to stop the XSS notifications (and block by default)

by Kkat » Fri Dec 08, 2017 4:06 pm

I have exactly the same problem. I keep getting this sort of popup:

Image
(picture borrowed from another thread)

Apparently, NoScript thinks it needs my permission to block suspicious cross-site scripting. And insists on badgering me for that permission even after I give it. I will tell it to block or always block the request, and yet a second later I will get another of these. They make surfing some websites nearly impossible, as dozens to endless numbers of these popups will occur.

I would like to know how I can prevent these popups from occurring by having NoScript not need me to tell it to block. Is there a way to set NoScript to universally and automatically block all XSS attempts and not inform me or ask me about it anymore?

Re: how to stop the XSS notifications (and block by default)

by drajitsh » Fri Dec 08, 2017 10:54 am

Forget that.

Re: how to stop the XSS notifications (and block by default)

by lakrsrool » Fri Dec 08, 2017 9:11 am

drajitsh wrote:I have a screenshot too but cant figure out how to post it.
You have to save your screen-shots via a 3rd-party like (i.e. example Postimage.org etc) and then insert the 3rd-party image link to this forum as an image-tag. (what a hassle, only forum I know that does not provide internal method - but that's the way the want to do it so it is what it is - good luck).

Re: how to stop the XSS notifications (and block by default)

by drajitsh » Fri Dec 08, 2017 6:54 am

brynn wrote:Hi Friends,
I'm getting XSS notifications, at least 2 or 3 times with every site I visit. I can't figure out how to stop the alerts. I don't want to stop blocking them, I just want to block them and not be alerted about it.

Yes, I've read the faq, which says
Yes, you can, just toggle the Noscript Options|Notifications|XSS preference. Of course you will still able to monitor NoScript Anti-XSS activity log in the Browser Console (Firefox) or Error Console (SeaMonkey), and you will get an extra "XSS" menu inside the NoScript contextual menu whenever an XSS attempt is detected, featuring all the actions usually accessed from the notification bar.
With the new NS upgrade, which was forced upon Firefox users, along with the recent quantum version upgrade (57), I can't find any Noscript Options|Notifications, much less Noscript Options|Notifications|XSS preference.

PLEASE tell me how to do it?

Also, I want to set NS to block every script by default, so that I only allow the few that I want or need. I can't figure out how to do that with this new version either.j

Could someone please explain that to me, too?


I'll be SO very grateful for your help :D


I have this problem too,
I have a screenshot too but cant figure out how to post it.

Top