So this problem has just recently come up with NoScript. I run a file host (called Obscured Files) which distributes the load to multiple nodes using sub-domains.
All of them run on the same domain verified using the same https certificate. We have a HSTS, CSP, and we even public key pin our certificate (though pinning is currently disabled for some updates).
Yet when a user now POSTs to the same domain (directed at an appropriate sub-domain) the XSS filter is triggered trashing whatever the user was sending over needing them to reupload again with the unsafe reload button.
The console shows:
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://ace.obscuredfiles.com/index.php/upload/do_upload] from [https://obscuredfiles.com/]: transformed into a download-only GET request.