[Fixed] 11.0.14rc1 Strange XSS warning on youtube

Bug reports and enhancement requests
Post Reply
barbaz
Senior Member
Posts: 9344
Joined: Sat Aug 03, 2013 5:45 pm

[Fixed] 11.0.14rc1 Strange XSS warning on youtube

Post by barbaz » Sun Mar 01, 2020 1:17 am

Had a Youtube video playing in a background instance of Firefox 73.0.1, and this message popped up out of nowhere -

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from https://www.youtube.com to https://accounts.google.com.

Suspicious data:

Error: Timeout! DOS attack attempt?,(URL) https://accounts.google.com/ServiceLogin?continue=https://www.youtube.com/signin?next=%2Fsignin_passive&action_handle_signin=true&feature=passive&hl=en&app=desktop&passive=true&uilel=3&hl=en&service=youtube
I just hit the "X" in the OS window controls. This is likely a false positive, and I block that request elsewhere anyway.

This seems to happen on every Youtube video.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone » Sun Mar 01, 2020 6:34 am

Are you signed it in your Google account while browsing Youtube?
Does it happen also on a clean profile without any other extension?
Thanks!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone » Sun Mar 01, 2020 11:31 am

Nevermind, I can see what it's happening. Gonna fix it in next relase, thanks!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone » Sun Mar 01, 2020 12:14 pm

Giorgio Maone wrote:
Sun Mar 01, 2020 6:34 am
Are you signed it in your Google account while browsing Youtube?
Does it happen also on a clean profile without any other extension?
Thanks!
On a second thought, since there are at least two causes I can imagine for this to happen with different (and possibly quite difficult) solutions, could you please answer those two answers anyway?
Thank you.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

barbaz
Senior Member
Posts: 9344
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by barbaz » Sun Mar 01, 2020 1:51 pm

Giorgio Maone wrote:
Sun Mar 01, 2020 6:34 am
Are you signed it in your Google account while browsing Youtube?
no
Giorgio Maone wrote:
Sun Mar 01, 2020 6:34 am
Does it happen also on a clean profile without any other extension?
It doesn't seem to. But it does happen if I also install uBlock Origin and add a custom filter that blocks that google frame.

EDIT
The following STR should get it consistently starting from clean profile:

1) install uBlock Origin from AMO, install NoScript 11.0.14rc1

2) uBlock Origin > Dashboard, check 'I am an advanced user'

3) in uBlock Origin advanced settings, set "cnameUncloak" to false

4) add this custom filter to uBlock Origin -

Code: Select all

||google.com^$domain=youtube.com
5) visit a youtube video page and play the video, put Firefox window in background, and wait.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone » Sun Mar 01, 2020 9:32 pm

Please check latest dev build, thanks.
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

barbaz
Senior Member
Posts: 9344
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by barbaz » Sun Mar 01, 2020 9:47 pm

That looks to have fixed it. Thanks Giorgio! Image
Giorgio Maone wrote:
Sun Mar 01, 2020 9:32 pm
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
(I'm not therube. :P )
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone » Sun Mar 01, 2020 9:48 pm

barbaz wrote:
Sun Mar 01, 2020 9:47 pm

(I'm not therube. :P )
Sooo sorry, gonna fix it in stable release :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

Post Reply