[RESOLVED] XSS filter problems on various sites?

Lizard · Post by **Lizard** » Mon Jul 03, 2017 7:48 pm

With the last few development builds I've noticed an increase of XSS warnings.
These are reproducible with 5.0.6RC6:

http://www.ad.nl/buitenland/taxi-rijdt- ... ~a4a4daee/
https://www.consoleshop.nl/product/7853 ... -snes.html

Also I've noticed I need to reload a page when I load a page on my local lan, even if I've allowed the page.

See the linked screenshot:

Post by **barbaz** » Mon Jul 03, 2017 8:55 pm

Lizard wrote:Also I've noticed I need to reload a page when I load a page on my local lan, even if I've allowed the page.

Try manually whitelisting the full address with the port -

Code: Select all

http://diskstation:5000

Lizard · Post by **Lizard** » Tue Jul 04, 2017 5:35 pm

barbaz wrote:
Lizard wrote:Also I've noticed I need to reload a page when I load a page on my local lan, even if I've allowed the page.
Try manually whitelisting the full address with the port -
Code: Select all
http://diskstation:5000

Thanks, that seems to work. still strange it also works without the port number after a reload.

Post by **barbaz** » Tue Jul 04, 2017 10:05 pm

You're welcome.

Regarding the XSS warnings:
When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

Archaeopteryx · Post by **Archaeopteryx** » Wed Jul 05, 2017 3:32 pm

This seems to hit e.g. downloads on github.com quite often. A download of mozregression-gui.exe triggers the XSS protection while Git-2.13.2-64-bit.exe doesn't. Nothing obvious in the console of the browser toolbox.

Post by **barbaz** » Wed Jul 05, 2017 4:05 pm

@Archaeopteryx: that might be viewtopic.php?f=10&t=22884

Lizard · Post by **Lizard** » Wed Jul 05, 2017 6:00 pm

Here are some logs:
http://www.pcgamer.com/half-life-a-plac ... ease-date/

[NoScript XSS] Sanitized suspicious upload to [https://www.facebook.com/tr/###DATA###SyntaxError: invalid range in character class] from [http://www.pcgamer.com/half-life-a-plac ... _pcgamerfb]: transformed into a download-only GET request.

http://www.ad.nl/buitenland/taxi-rijdt- ... ~a4a4daee/

[NoScript XSS] Sanitized suspicious upload to [https://www.facebook.com/tr/###DATA###SyntaxError: invalid range in character class] from [http://www.ad.nl/buitenland/taxi-rijdt- ... ~a4a4daee/]: transformed into a download-only GET request.

Post by **barbaz** » Wed Jul 05, 2017 10:57 pm

Does Marking facebook.net as Untrusted make any difference?

Lizard · Post by **Lizard** » Tue Jul 11, 2017 9:45 pm

That seems to remove the xss warnings, thnx

InformAction Forums

[RESOLVED] XSS filter problems on various sites?

[RESOLVED] XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?

Re: XSS filter problems on various sites?