Page 1 of 1

10: XSS popup

Posted: Thu Nov 23, 2017 3:36 am
by saladgoat
I have read all the explanations I can find and I still don't understand what XSS is or why it's a threat. But you seem to think it's bad enough to add blockers for it in NoScript, so I leave it enabled.
Previously, NoScript showed a small yellow bar across the top of the site to let me know XSS was blocked. Cool. I don't need to do anything.
But now, there is a giant popup that I have to click on. Why do I have to click on it? It has a whole lot more information on it, but it all looks like gibberish to me, so it's not helpful at all. And when it says, for instance, 'from to' I don't know what to do. I trust both sites, but XSS is so bad and I don't know what it means so I just say Block.
But there is an option to Allow and an option to Always Allow, but why isn't there an option to Always Block? I don't want to see that popup every time I visit these sites with XSS. And blocking it doesn't seem to affect the site, so I don't care.
And then it's more confusing when it pops up and asks to Sanitize the XSS. What happened to Block? :? And in Options, there is already a checkmark beside Sanitize XSS, so why is it even asking me? Just do it.
Anyway, that's my latest rant. Happy to see that all of my other complaints/concerns have been addressed and fixed in 10.1.2, so thank you for that! You're doing a great job!

Re: 10: XSS popup

Posted: Thu Nov 23, 2017 3:58 am
by Mistame
XSS is Cross-Site Scripting. Basically, using javascript from another domain.

From what I've seen, the best way to avoid those is to go to the actual site and set that site to Trusted/Untrusted. The pop-up usually only appears if the remote site doesn't have any permissions set. There are some exceptions, however (I've seen a [...] listed as the site, which is really weird). In your example, go to Facebook and and make sure those sites have all their permissions set. Keep in mind that if Site A is using HTTPS and you have permissions for HTTPS only, then Site B tries to access those scripts remotely via HTTP (without the "S"), you'll get the pop-up unless you give Site A non-HTTPS permission (indicated by the red lock icon).

Re: 10: XSS popup

Posted: Thu Nov 23, 2017 4:08 am
by barbaz
Mistame wrote:XSS is Cross-Site Scripting. Basically, using javascript from another domain.
Err, no, just about every site uses javascript from another domain and it's not an attack situation. XSS is when a malicious site injects its Javascript code into another site, e.g. your bank, and your bank site then runs the malicious code in its own context, i.e. as though the malicious site's injected code were part of the bank site's own code. Your browser is the vector for this injection.

Think of XSS like the cuckoo bird laying its eggs in other birds' nests, and the "victim" birds raise the cuckoo young like their own.

Re: 10: XSS popup

Posted: Thu Nov 23, 2017 5:40 am
by Mistame
Ah. Thanks for the correction.