recurring XSS popup??

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: recurring XSS popup??

Re: recurring XSS popup??

by barbaz » Thu Jul 11, 2019 1:49 pm

Guest wrote: Thu Jul 11, 2019 8:44 am This has become a pointless mechanism.
Would've been a lot easier for you to just disable the XSS filter than waste time ranting on this forum, wouldn't it?
Guest wrote: Thu Jul 11, 2019 8:44 am Noscript has more problems: even with everything trusted on a site, in some cases some parts can be kept blocked without you knowing. Only turning off Noscript will allow you to see them then. It has been that way for years.
Vague ranting isn't going to get you any help.

Re: recurring XSS popup??

by therube » Thu Jul 11, 2019 11:36 am

(Was on Yahoo the other day, I was getting a seemingly "endless" number of XSS warnings there, simply by scrolling down the page...?
I simply ignored the popups, best I could. Don't know what triggered it. Doesn't seem to be happening currently.
Maybe there was a rightful reason it was occurring?)
even with everything trusted on a site, in some cases some parts can be kept blocked without you knowing
Where?
It was noted before, that sometimes that occurred with 'disable restrictions for this tab', where 'allow globally' worked.

Re: recurring XSS popup??

by Guest » Thu Jul 11, 2019 8:44 am

It is july 2019 now, running Noscript on Firefox.
This problem with XSS warnings grew over the years, and today it reaches the limit. The end game now is that I cannot click any site in Google (even Google itself) or I need to add it to the 'allowed' list. Even already loaded tabs that I revisit needs it.
One day my memory will be full...

This has become a pointless mechanism.

Noscript has more problems: even with everything trusted on a site, in some cases some parts can be kept blocked without you knowing. Only turning off Noscript will allow you to see them then. It has been that way for years.

Re: recurring XSS popup??

by lancelot » Sun Feb 11, 2018 3:18 pm

The warnings for imdb are finally gone. But now I ran into this:

http://www.telegraph.co.uk/culture/book ... eview.html

gives

NoScript detected a potential Cross-Site Scripting attack
from [...] to http://www.telegraph.co.uk.
Suspicious data:
(URL) http://www.telegraph.co.uk/culture/book ... eview.html

What does Suspicious data: URL even mean?

Re: recurring XSS popup??

by lancelot » Sat Jan 27, 2018 6:27 pm

lancelot wrote:
lancelot wrote:XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.
Besides, if I click "Always block" on the warning saying "from [...] to http://www.imdb.com", I get locked out of imdb, I cannot even open the main page www.imdb.com, even though that page hasn't been giving me a warning with the literal [...].

So it seems like a global default isn't even possible because of this.
Additionally, if I temporarily block the request "from [...] to http://www.imdb.com" (whatever that means), that apparently blocks some fonts as well:

Image

This is how the page should like:

Image

Re: recurring XSS popup??

by lancelot » Mon Dec 18, 2017 8:02 pm

lancelot wrote:XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.
Besides, if I click "Always block" on the warning saying "from [...] to http://www.imdb.com", I get locked out of imdb, I cannot even open the main page www.imdb.com, even though that page hasn't been giving me a warning with the literal [...].

So it seems like a global default isn't even possible because of this.

Re: recurring XSS popup??

by mvenl » Wed Dec 13, 2017 11:58 am

Always allow choice is still not remembered. This is not good as it might tempt people to just disable the XSS check alltogether.

Re: recurring XSS popup??

by lancelot » Sun Dec 10, 2017 2:42 pm

XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.

Re: recurring XSS popup??

by George Valitsas » Sun Dec 03, 2017 1:10 pm

Same here, XSS does not remember always allow or always block choices when I close firefox and start again. So the same message pops up again! Firefox is set to never remember history, I don't know whether this is relevant or not.

Re: recurring XSS popup??

by lancelot » Sun Dec 03, 2017 12:33 pm

And apparently 10.1.5.3 just wiped my XSS choices? I haven't restarted Firefox, just updated NoScript, and "Clear XSS user choices" is grayed out.

Re: recurring XSS popup??

by juozas » Sun Dec 03, 2017 6:02 am

Just updated NoScript to 10.1.5.3 on one of my test profiles. When I visit affected site with multiple XSS of same kind, adding exception to first one doesn't stop the other one's triggering XSS popup that repeats even after closing tab or exiting the browser. Wery annoying. Also exceptions doesn't remain after restart, which is even more annoying.
The browser window after restart (last "window" was XSS popup):
Image

Re: recurring XSS popup??

by aussiebill » Sun Dec 03, 2017 1:50 am

I think this might be a reflection on how Firefox runs . If you look in the task manager FF is opened 4 times thus allowing memory to be cached in case of dropouts.
Maybe this is where Noscript is being caught up too. Running with FF at 4 times it could be trying to block all the other versions of FF too. If you get a XSS script warning shutdown FF and re-open it ,XSS should still be present as it switches another FF running in the background.

Re: recurring XSS popup??

by lancelot » Sat Dec 02, 2017 11:53 pm

I've just noticed that too: when I quit and restart Firefox, I'm getting the same XSS popups on the same site about the same https://www.facebook.com that I've already clicked "Always block" on.

Re: recurring XSS popup??

by juozas » Sat Dec 02, 2017 12:33 pm

On some sites, e.g. some tumblr pages with custom themes, there might be repeating same XSS, clicking always allow doesn't solve problem until reload, as the same XSS repeats, popup dialog that stays always on top is not minimizable even when the tab is NOT on focus which is annoying, not mentioning blank window bug only solved by right click.
Edit: Settings aren't saved across restarts somehow, also browsing storage-sync.sqlite with sqlite editor program I couldn't find a record (table row) with "key-xssWhitelist" in record_id column with configuration stored in record column in the collection_data table. Previous versions of NoScript did store this data properly.

Re: recurring XSS popup??

by ohdada_yupie » Sat Dec 02, 2017 9:34 am

Same here!

Image

I get those warning when I click on google search links or when I go on duckduckgo.

Top