XSS Exceptions

gandalf99 · Post by **gandalf99** » Sun Jun 14, 2009 7:55 pm

I appreciate the security that noscript provides. And ordinarily it is pretty user friendly. However when it comes to xss it is quite daunting. There is an insurance website that triggers the xss alert. In order to access the site I have to allow the dangerous behavior. It gets really old doing that every time I access it. Since there is no easy way to white list it without having to learn how to use regular expressions, I'm tempted to just turn off the protection. Why can't we white list a site for xss exceptions just like we can whitelist a site to allow scripts?

Post by **Giorgio Maone** » Sun Jun 14, 2009 8:07 pm

The reason is pretty simple: XSS exceptions must be as narrow as possible to keep protecting the site.
However allowing a simpler URL pattern syntax (like the one already used for HTTPS and ABE options) is planned.
In the meanwhile, could you provide here the warning given by NoScript in Tools|Error Console ([NoScript XSS] lines) so I can help you with the reg exp?

gandalf99 · Post by **gandalf99** » Mon Jun 15, 2009 4:59 pm

Giorgio-

Thanks for the quick response & particularly for help with the expression. I'll send it to you privately as I do not want to post my account info here. By the way, I've seen reference in some posts, including your response, to ABE. What does it stand for?

Post by **Giorgio Maone** » Mon Jun 15, 2009 5:12 pm

Application Boundaries Enforcer

InformAction Forums

XSS Exceptions

XSS Exceptions

Re: XSS Exceptions

Re: XSS Exceptions

Re: XSS Exceptions