Page 1 of 1

XSS filter not configurable and likely buggy on "mobile" Firefox

Posted: Sat Nov 16, 2019 11:30 pm
by olf
The XSS filter does not work as described in the XSS FAQ on Fennec and Firefox for Android.

A payment process (per failed due to NoScript's XSS filter: The web-page for entering the payment data (e.g., credit card information) did not fully load.
Switching the XSS filter off and on reproducibly makes this web-page load completely (or not). It just took an afternoon to single out this as the reason.
While I attribute the mishap to the specific web-page being badly implemented (and likely not even specific to the payment process or its provider Stripe), I stumbled across potential bugs and basically non-existent configurability.

1. [Bug]
The workarounds 1 and 3 at FAQ section 4.2 do not seem to work!
In desperation I ended up trying to trust all scripts at this webpage and it still did not load completely, unless the XSS filter was switched off or NoScript was disabled.

2. [Bug?]
There is nothing visible, when the XSS filter successfully filters, at the error console (per add-on on mobile Firefox). This contrasts what FAQ section 4.3 describes.
This strongly contributed to the hurdles to track down the offender (the XSS filter), as I expected some output there, if the filter filters.

3. [Usability]
The XSS filter is not configurable on mobile devices, in contrast to what the FAQ entries 4.2.2, 4.2.4, 4.3, 4.4, 4.5 and the description of the XSS options state: No options in the XSS tab of NoScript's options, except for "On / Off" and "Debug".
Having at least the most important XSS options configurable on mobile devices would be really nice.

4. [Usability bug]
The XSS filter does not display "activity notifications" in contrast to what is described in the FAQ section 4.3.
This results in webpages not fully loading, without any indication why!
Hence please display such a notification, also on mobile devices.

P.S.: Environment
Originally tested with NoScript 11.0.3 under Firefox and Fennec 67.x and 68.x for Android on AOSP 4.1.2 (API level 16).

P.P.S.: This is a repost, now in the correct "mobile" forum section.