XSS Exceptions
XSS Exceptions
I appreciate the security that noscript provides. And ordinarily it is pretty user friendly. However when it comes to xss it is quite daunting. There is an insurance website that triggers the xss alert. In order to access the site I have to allow the dangerous behavior. It gets really old doing that every time I access it. Since there is no easy way to white list it without having to learn how to use regular expressions, I'm tempted to just turn off the protection. Why can't we white list a site for xss exceptions just like we can whitelist a site to allow scripts?
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b99) Gecko/20090605 Firefox/3.5b99
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS Exceptions
The reason is pretty simple: XSS exceptions must be as narrow as possible to keep protecting the site.
However allowing a simpler URL pattern syntax (like the one already used for HTTPS and ABE options) is planned.
In the meanwhile, could you provide here the warning given by NoScript in Tools|Error Console ([NoScript XSS] lines) so I can help you with the reg exp?
However allowing a simpler URL pattern syntax (like the one already used for HTTPS and ABE options) is planned.
In the meanwhile, could you provide here the warning given by NoScript in Tools|Error Console ([NoScript XSS] lines) so I can help you with the reg exp?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Re: XSS Exceptions
Giorgio-
Thanks for the quick response & particularly for help with the expression. I'll send it to you privately as I do not want to post my account info here. By the way, I've seen reference in some posts, including your response, to ABE. What does it stand for?
Thanks for the quick response & particularly for help with the expression. I'll send it to you privately as I do not want to post my account info here. By the way, I've seen reference in some posts, including your response, to ABE. What does it stand for?
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b99) Gecko/20090605 Firefox/3.5b99
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS Exceptions
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)