[FIXED] Supersensitive XSS Filter Needs A Solution

[CodeFate]

Hello,

So this problem has just recently come up with NoScript. I run a file host (called Obscured Files) which distributes the load to multiple nodes using sub-domains.

All of them run on the same domain verified using the same https certificate. We have a HSTS, CSP, and we even public key pin our certificate (though pinning is currently disabled for some updates).

Yet when a user now POSTs to the same domain (directed at an appropriate sub-domain) the XSS filter is triggered trashing whatever the user was sending over needing them to reupload again with the unsafe reload button.

The console shows:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://ace.obscuredfiles.com/index.php/upload/do_upload] from [https://obscuredfiles.com/]: transformed into a download-only GET request.

It was working yesterday. What changed?

[dnolan]

See viewtopic.php?f=7&t=22296.

Perhaps a moderator could merge the threads, maybe with the title changed to "XSS false positive" or something to that effect. barbaz, what do you think?

[barbaz]

I think it's a different issue. That other thread is about XSS filter tripping from stuff entered into address bar and searchbar. This one is about a website being erroneously broken by NoScript.

CodeFate, what NoScript version are you using? If it's some 2.9.5 version, does downgrading NoScript to 2.9.0.14 let it work again?

Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a

[Giorgio Maone]

Please check latest development build 2.9.5.2rc1, thanks.

[CodeFate]

The release candidate, as well as downgrading, seems to fix the issue.

What is the candidate's ETA to the Mozilla store?

[barbaz]

It's already there https://addons.mozilla.org/addon/noscri ... 2.9.5.2rc1