XSS filter not configurable and likely buggy on "mobile" Firefox

Android-specific support, bug reports and feature requests.
Post Reply
olf
Posts: 10
Joined: Sun Dec 03, 2017 3:10 pm

XSS filter not configurable and likely buggy on "mobile" Firefox

Post by olf »

The XSS filter does not work as described in the XSS FAQ on Fennec and Firefox for Android.

Background:
A payment process (per stripe.com) failed due to NoScript's XSS filter: The web-page for entering the payment data (e.g., credit card information) did not fully load.
Switching the XSS filter off and on reproducibly makes this web-page load completely (or not). It just took an afternoon to single out this as the reason.
While I attribute the mishap to the specific web-page being badly implemented (and likely not even specific to the payment process or its provider Stripe), I stumbled across potential bugs and basically non-existent configurability.

1. [Bug]
The workarounds 1 and 3 at FAQ section 4.2 do not seem to work!
In desperation I ended up trying to trust all scripts at this webpage and it still did not load completely, unless the XSS filter was switched off or NoScript was disabled.

2. [Bug?]
There is nothing visible, when the XSS filter successfully filters, at the error console (per add-on on mobile Firefox). This contrasts what FAQ section 4.3 describes.
This strongly contributed to the hurdles to track down the offender (the XSS filter), as I expected some output there, if the filter filters.

3. [Usability]
The XSS filter is not configurable on mobile devices, in contrast to what the FAQ entries 4.2.2, 4.2.4, 4.3, 4.4, 4.5 and the description of the XSS options state: No options in the XSS tab of NoScript's options, except for "On / Off" and "Debug".
Having at least the most important XSS options configurable on mobile devices would be really nice.

4. [Usability bug]
The XSS filter does not display "activity notifications" in contrast to what is described in the FAQ section 4.3.
This results in webpages not fully loading, without any indication why!
Hence please display such a notification, also on mobile devices.

P.S.: Environment
Originally tested with NoScript 11.0.3 under Firefox and Fennec 67.x and 68.x for Android on AOSP 4.1.2 (API level 16).

P.P.S.: This is a repost, now in the correct "mobile" forum section.
Mozilla/5.0 (Android 4.1.2; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS filter not configurable and likely buggy on "mobile" Firefox

Post by Giorgio Maone »

Please check latest development build:
v 11.0.47rc2
============================================================
x [Mobile] Use tabs as prompts if the browser.windows API is
missing
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0
Post Reply