NoScript and XSS attempt from [chrome]

[antipop]

I have the latest versions of NoScript in Firefox on Windows 10 Pro. I use Startpage as my default search engine. Just about every time I enter any text in the small search box at the top right of Firefox, while the Startpage is loaded as my homepage, and press Enter, I get a NoScript message appearing across the top to this effect:

"NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome]. Technical details have been logged to the Console. "

So, is there anything I can do to prevent this from happening without altogether disabling the important messages such as this? Thanks.

[barbaz]

WFM... can you please post the contents of your Startpage searchplugin's xml file as well as a sample query that triggers the XSS filter?

[antipop]

Hello, barbaz

> "...Startpage searchplugin's xml file "

Where would I find this file? Thanks.

[barbaz]

Is it in a "searchplugins" subdirectory of your profile folder?

Also I've fixed the above post for you.

[antipop2]

I think this is what you asked to see, from here C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\ujf4f8wo.default\searchplugins\startpage-ssl.xml:

Code: Select all

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
<os:ShortName>Startpage (SSL)</os:ShortName>
<os:Description>Startpage is a search engine that does not collect or share personally identifiable information. This search bar extension utilizes SSL to protect transmissions between You and Startpage.</os:Description>
<os:InputEncoding>UTF-8</os:InputEncoding>
<os:Image width="16" height="16">data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2jkj+9YtD/vWLQ/71i0P+9otD/vaLRP72i0T+9YtE/vWLRP72i0T+9otD/vaNRP72jUT+9otF/vaLRf73kkv+9Yc///WJP//1iT//9Yk///rAmf/94Mz/+sCa//aRTv/1iUH/9ok///aJP//2i0H/9otB//aJQv/2iUL/9otC//aNRP/2jUT/9o1E//aNRP/6wpv////////////96dr/95dQ//aNRP/2kET/9pBG//aQRv/2kEb/9pBG//aRR//3lEz/95BH//mueP/7xJ3/959g//efYf/4p23//vDm//3p2//3kEr/95FJ//aRSf/niFH/95FK//aRSv/2mE//95hS/vq4iP/////////////////81bj/95xZ//q4iP//////+bF+//eZT//njFT/PSqi/2xGjv/2mVD/951V/vedVv783cX///////vQrf/++PP///////748//+8uj///////m3gf/olFr/PSuj/w8Pt/9sSJD/951V//eeWf73oVv++8ul///////5sXf/+KRi//vRsf////////////3r3v/olF//Piyk/w8Pt/9sSJH/+J5Z//ieWv/3oV/++KZf/vihXP/97N7//vn0//zTs//6wJP/+bBy//q6iP/onW//Piyl/w8Pt/8fGbH/m2iB/+icY//4pGD/96hl/viqZf74pmD/+Kxr//3iy/////////n1//ivbP/onGj/Pi2m/w8Pt/8uJKz/fFeQ/x8Zsf8+Lqb/6J9r//ivbP74rm3++Klm//mpZv/5q2f/+bR9//m0e//poW7/Pi6n/w8Pt/9sTZj/+Ktp//ira/+rd4P/Dw+3/4xijv/5snH++LN1/vmvbf/5r23/+a5t//mvb//4r2//TTuk/w8Pt/8fGrL/6ah1//ivcP/4r3P/q3yI/w8Pt/+MZpP/+bN5/vm4ev75t3X/+bV1//m1df/5t3X/+Ld3/8qUhP98XZn/Hxqz/+mse//5t3f/2p+B/x8as/8PD7f/u4qK//m7fv76u4D++bl7//m3fP/5uXz/+bl8//m5fP/5t3z/+bl//x8as/9NPKf/fWCb/x8as/8PD7f/bVOh//q5f//6v4X++sGI/vm9g//5voX/+b6F//m9hf/6vYX/+r6F//nCh/+bepr/Hxu0/w8Pt/8PD7f/fWOh//q+hf/6wof/+saN/vrGjf75xIv/+ceL//nEi//5xIv/+sSL//rHi//6x43/+ceN/+m7kP+7lpj/6ruQ//rHkP/6x43/+seQ//rLlf76ypT++seR//rJkf/6yZH/+seR//rJkf/6yZH/+8mR//vJlP/7yZT/+smU//rJlP/6yZT/+8yV//rJlf/6zpn+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==</os:Image>
<SearchForm>https://startpage.com/</SearchForm>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl">
  <os:Param name="query" value="searchTerms"/>
  <os:Param name="cat" value="web"/>
  <os:Param name="language" value="english"/>
</os:Url>
</SearchPlugin>

Do let me know if you want to see something else or if you see any problems in the above file. Thank you.

[barbaz]

That is indeed the searchplugin I asked to see. The last part of your searchplugin looks quite different from mine, you have this

Code: Select all

<SearchForm>https://startpage.com/</SearchForm>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl">
  <os:Param name="query" value="searchTerms"/>
  <os:Param name="cat" value="web"/>
  <os:Param name="language" value="english"/>
</os:Url>

where I have this

Code: Select all

<UpdateInterval>3</UpdateInterval>
<UpdateUrl>https://startpage.com/toolbar/searchbar/en/startpage_ff_secure_en.src</UpdateUrl>
<IconUpdateUrl>https://startpage.com/toolbar/searchbar/en/startpage.png</IconUpdateUrl>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/search">
  <os:Param name="query" value="{searchTerms}"/>
  <os:Param name="cat" value="web"/>
  <os:Param name="pl" value="ff"/>
  <os:Param name="language" value="english"/>
</os:Url>

Did the board strip the curly brackets off of your "searchTerms"? If so, for future reference you can work around it by typing double curly brackets before preview and submit.

[barbaz]

Even so, I'm not seeing what would trigger the XSS filter. Can you please post a sample query per above?

BTW how come you can't log in?

[antipop]

barbaz,

I can log in just fine. However, it is not necessary to log in to post, but I cannot post with my registered user ID while doing so. I simply post without logging in while using "antipop2" as the ID. Does my doing it like this cause a problem in the information for some reason?

Anyway, I just now saw this same problem occur while making a search. I entered for instance this expression exactly in this manner: microsoft certification

The Startpage was opened when I entered these words, but I put them in the little search box on upper right, not in the Startpage search box at the center of its page.When I entered it in the search box and pressed Enter, it popped up the message. It only shows the error message the first time I press Enter; when I then click the arrow "-->" at the end of the box or press Enter again, it does the search normally.

[barbaz]

I can log in just fine. However, it is not necessary to log in to post, but I cannot post with my registered user ID while doing so. I simply post without logging in while using "antipop2" as the ID. Does my doing it like this cause a problem in the information for some reason?

We prefer you log in to post if you're registered because posting as guest makes it easier for people to impersonate you and harder for people to follow who's who, plus you have to solve the CAPTCHA every time you need to post and you can't edit posts, plus the spam filter might treat you differently.
Good that you don't have some problem with your account anyway.

Anyway, I just now saw this same problem occur while making a search. I entered for instance this expression exactly in this manner: microsoft certification

The Startpage was opened when I entered these words, but I put them in the little search box on upper right, not in the Startpage search box at the center of its page.When I entered it in the search box and pressed Enter, it popped up the message. It only shows the error message the first time I press Enter; when I then click the arrow "-->" at the end of the box or press Enter again, it does the search normally.

It shouldn't matter what page you have opened...

In any case I can't reproduce this, regardless of script permissions of Startpage or having Startpage opened or using your searchplugin.
Please create a clean profile from scratch. Add your searchplugin from your existing profile (create a "searchplugins" folder in your new profile folder, then copy in the xml file). Install only NoScript latest development build, leaving all the defaults. Does the problem still exist?
If not, what if you then import your NS settings into the clean profile using the Import and Export buttons *on the very bottom* of NS Options?

Let us know, thanks.

[antipop]

I want to add another point about this before deciding my next step in troubleshooting. On far end of the notification bar with aforementioned error message, there is an options button that appears, giving me choices such as Load console, Unsafe Reload, Notifications, Options, and XSS FAQ. So, I was wondering whether one of these choices would either lead to a straightforward solution or help to pinpoint the cause, say, possibly from information in the Console. Thanks.

[barbaz]

bye

[barbaz]

Oops, I realize I forgot to ask, when this issue occurs do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

So yes, the "Load console" option would help, but the others probably won't.

[antipop2]

Is this what you asked to see:

Code: Select all

"[TunnelToLms] get ajax response from https://api-mva.microsoft.com ==> {"messageWay":"response","messageType":"AJAX_SUCCESS","messageId":"TunnelToMvaApi44","statusText":"success","statusCode":200,"statusMessage":"OK","result":"User activity saved successfully"}" scowrapper:14:107185
"[TunnelToMvaApi] get ajax response from https://api-mva.microsoft.com ==> {"messageWay":"response","messageType":"AJAX_SUCCESS","messageId":"TunnelToMvaApi44","statusText":"success","statusCode":200,"statusMessage":"OK","result":"User activity saved successfully"}" scowrapper:14:107185
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 2, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_util.js:2:417
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 2, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_util.js:2:417
[CustomizableUI] Custom widget with id loop-button does not return a valid node

[antipop2]

And here is another shortly thereafter:

Code: Select all

GET 
https://startpage.com/font/ProximaNova-Bold-webfont.woff2 [HTTP/1.1 200 OK 0ms]
GET 
https://startpage.com/font/Arimo-Regular-webfont.woff2 [HTTP/1.1 200 OK 0ms]
POST 
XHR 
https://startpage.com/tbpu [HTTP/1.1 200 OK 66ms]
GET 
https://startpage.com/font/OpenSans-Regular-webfont.woff [HTTP/1.1 200 OK 0ms]
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 1, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" }

[barbaz]

Unfortunately the NoScript XSS message is not there...
If what you posted is all you see, try increasing about:config > devtools.hud.loglimit.console to something bigger?