Giorgio Maone wrote:Is this a cross-site request or not?
This isn't a cross site request.
May I see the other [NoScript XSS] messages in the console?
Yes, I have this in my console:
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://example.com/login.php?mode=login###DATA###(urlencoded_password)] from [http://example.com/]: transformed into a download-only GET request.
Seems unrelated to the query strings, though.
Source of relevant part of the page (the page is served through HTTP):
Code: Select all
<form method="post" action="https://example.com/login.php?mode=login" class="headerspace">
<fieldset class="login-form">
<label for="username">Username:</label> <input type="text" name="username" id="username" size="10" class="inputbox" title="Username" />
<label for="password">Password:</label> <input type="password" name="password" id="password" size="10" class="inputbox" title="Password" />
| <label for="autologin">Log me on automatically each visit <input type="checkbox" name="autologin" id="autologin" /></label>
<input type="submit" name="login" value="Login" class="button2" />
<input type="hidden" name="redirect" value="./index.php?" />
</fieldset>
</form>
If I use a HTTPS form for the login this does not occur.
Maybe it's related to the recent change to the XSS filter in 2.6.8.20rc1?