NoScript warns if using OpenID Authentication

Bug reports and enhancement requests
Post Reply
GunnarScherf
Posts: 3
Joined: Fri Apr 11, 2014 6:21 pm

NoScript warns if using OpenID Authentication

Post by GunnarScherf »

Thank you very much for the sophisticated and helpful noscript addon, which are a lot of friends using.

I have a concern with the XSS feature.When i use the OpenID Connect specification for Authentication http://openid.net/specs/openid-connect- ... uthRequest
with a scope parameter with multiple scopes separated by spaces icluding openid, I get an XSS warning.

For example on the page https://oauth-python-sample.g10f.de/oauth2/login/ there is a link to login with google:

https://accounts.google.com/o/oauth2/au ... ontent.com

The console log contains something like this:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https://oauth-python-sample.g10f.de/oauth2/login/&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com
(function anonymous() {
scope=openid+profile+email /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com] angefordert von [https://oauth-python-sample.g10f.de/oauth2/login/]. Bereinigte URL: [https://accounts.google.com/o/oauth2/auth?scope=OPENid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com#7047993740878138766].
The openid value is changed to OPENid ??
Perhaps because "open" in the context of the browser opens a window?
I think it would be nice,if noscript does not warn if a request is complete aligned with the openid connect specification, which is the most important authentication specification for the web.

With best regards
Gunnar
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: NoScript warns if using OpenID Authentication

Post by Giorgio Maone »

Please check latest development build 2.6.8.20rc1, thank you.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Top
GunnarScherf
Posts: 3
Joined: Fri Apr 11, 2014 6:21 pm

Re: NoScript warns if using OpenID Authentication

Post by GunnarScherf »

Giorgio, thank you very much for responding so quickly.
Unfortunately I still get the XSS warning and an error when i use the openid connect login with noscript.
To Login with OpenID Connect there is a scope parameter in the query string (scope=openid+profile+email+offline_access) with openid.
The openid part is then changed by noscript to OPENid with an XSS warning.
It would be very nice if this could be changed in noscript, because the parameter is specified like this in the OpenID Connect Specification ( OpenID Connect requests MUST contain the openid scope value: http://openid.net/specs/openid-connect- ... uthRequest)

With best regards
Gunnar

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///accounts/login/?next=/oauth2/authorize/?scope=openid+profile+email+offline_access&state=eyJub25jZSI6ImxFTnJFaGh2eDZaNCIsImNsaWVudCI6MSwibmV4dCI6Ii8ifQ&redirect_uri=https://oauth-python-sample.g10f.de/oauth2/login/&response_type=code&client_id=ec1e39cbe3e746c787b770ace4165d13
(function anonymous() {
scope=openid+profile+email+offline_access /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://sso.g10f.de/accounts/login/?next=/oauth2/authorize/%3Fscope%3Dopenid%2Bprofile%2Bemail%2Boffline_access%26state%3DeyJub25jZSI6ImxFTnJFaGh2eDZaNCIsImNsaWVudCI6MSwibmV4dCI6Ii8ifQ%26redirect_uri%3Dhttps%253A%252F%252Foauth-python-sample.g10f.de%252Foauth2%252Flogin%252F%26response_type%3Dcode%26client_id%3Dec1e39cbe3e746c787b770ace4165d13] angefordert von [https://oauth-python-sample.g10f.de/oauth2/login/]. Bereinigte URL: [https://sso.g10f.de/accounts/login/?next=%2Foauth2%2Fauthorize%2F%3Fscope%3DOPENid%2Bprofile%2Bemail%2Boffline_access%26state%3DeyJub25jZSI6ImxFTnJFaGh2eDZaNCIsImNsaWVudCI6MSwibmV4dCI6Ii8ifQ%26redirect_uri%3Dhttps%253A%252F%252Foauth-python-sample.g10f.de%252Foauth2%252Flogin%252F%26response_type%3Dcode%26client_id%3Dec1e39cbe3e746c787b770ace4165d13#5957817879784126750].
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: NoScript warns if using OpenID Authentication

Post by Giorgio Maone »

Please check latest development build 2.6.8.27rc1, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Top
GunnarScherf
Posts: 3
Joined: Fri Apr 11, 2014 6:21 pm

Re: NoScript warns if using OpenID Authentication

Post by GunnarScherf »

Thank you very much. Now it is working fine.

With best regards
Gunnar Scherf
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Top
Post Reply

Return to “NoScript Development”