NoScript and XSS attempt from [chrome]

Ask for help about NoScript, no registration needed to post
antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

Re: NoScript and XSS attempt from [chrome]

Post by antipop » Fri Dec 04, 2015 3:22 pm

It looks to me as though an XSS related error appears in these, but I must admit I understand very little of this hard-core developer stuff:

Code: Select all

Could not read chrome manifest 'file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/chrome.manifest'.
SSL Observatory WARN: Failed to initialize NSS component:Error: couldn't find function symbol in library
Get a connection to permissions.sqlite.
While creating services from category 'profile-after-change', service for entry 'Sapi Speech Synth', contract ID '@mozilla.org/synthsapi;1' does not implement nsIObserver.
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:434:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:613:14
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:623:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1012:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1041:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1095:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1104:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1149:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1183:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1208:14
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2250:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2263:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2271:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2413:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2595:12
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2905:12
[CustomizableUI] Custom widget with id loop-button does not return a valid node CustomizableUI.jsm:166
downloadable font: download not allowed (font-family: "SSStandard" style:normal weight:normal stretch:normal src index:1): content blocked source: file:///C:/Users/display/AppData/Local/Temp/maftemp-5956ce75/1449241624519_287/1427138806505_70/index_files/ss-standard_woff ss-standard.css:3:12
downloadable font: download not allowed (font-family: "SSStandard" style:normal weight:normal stretch:normal src index:2): content blocked source: urn:not-loaded:http://www.pcworld.com/www.idgcsmb/webfonts/ss-standard.ttf ss-standard.css:3:12
1449241630788   Browser.SelfSupportBackend   ERROR   _loadSelfSupport - Non HTTPS URL provided:  Log.jsm:749:0
flags argument of String.prototype.{search,match,replace} is deprecated ssl-observatory.js:321:13
nsIJSON.encode is deprecated.  Please use JSON.stringify instead. ssl-observatory.js:610:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] observatory.eff.org
nsIJSON.encode is deprecated.  Please use JSON.stringify instead. ssl-observatory.js:610:0
1449241682960   Toolkit.Telemetry   ERROR   TelemetryStorage::loadAbortedSessionPing - error removing ping: PingReadError JS Stack trace: PingReadError@TelemetryStorage.jsm:80:15 < TelemetryStorageImpl.loadPingFile<@TelemetryStorage.jsm:1448:13 Log.jsm:749:0
nsIJSON.encode is deprecated.  Please use JSON.stringify instead. ssl-observatory.js:610:0
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/metasearch.pl] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request.
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. retina_mainpage.js:3:0
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 1, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_utils.js:1:417
Last edited by barbaz on Fri Dec 04, 2015 4:02 pm, edited 1 time in total.
Reason: wrap console messages in code tags
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Fri Dec 04, 2015 4:28 pm

antipop wrote:[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/metasearch.pl] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request.

This is the related message. Please install HTTPFox, start it watching, reproduce the problem, and (if it's available) post here the logged POST data of the blocked POST request.
EDIT Preferably raw data, not prettified.
*Always* check the changelogs BEFORE updating that important software!
-

antipop2

Re: NoScript and XSS attempt from [chrome]

Post by antipop2 » Sat Dec 05, 2015 12:20 am

barbaz,

I installed the addon, as you requested. Obviously I do not understand much of what it is up to, but I am flexible, and persistent, if you think it may help with finding the cause of this problem. When I encountered another instance of the error condition, I had the addon open with a split window so that I could see it. The best I can tell, the POST Data message that got logged was this:

bc=sm

And this happened with the following URL

https://startpage.com/tbpu?

I am beginning to wonder whether this might be related to a missing font issue from Startpage? I said that because all the GET lines on either side of it appear to relate to fonts on "startpage.com". I am only speculating of course.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Dec 05, 2015 1:08 am

According to the console message, the request to inspect is a POST request to

Code: Select all

https://startpage.com/do/metasearch.pl


It wouldn't be related to missing fonts.
*Always* check the changelogs BEFORE updating that important software!
-

antipop2

Re: NoScript and XSS attempt from [chrome]

Post by antipop2 » Sat Dec 05, 2015 1:58 am

Okay, I looked at the same line as this one: "https://startpage.com/do/metasearch.pl"

and this is what was logged in the POST Data corresponding to that line:

query=noscript+and+forum&cat=web&language=english


Kindly do let me know if you want to see something else. Thanks, again.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Dec 05, 2015 2:18 am

That is what I asked to see, and I've absolutely no idea why that'd trip the XSS filter.

I'm out of ideas atm, sorry.
*Always* check the changelogs BEFORE updating that important software!
-

antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

NoScript filtered a potential coss-site scripting attempt

Post by antipop » Fri Jan 08, 2016 3:56 pm

I would really like to get to the bottom of why NoScript continually pops up this warning just about every other time I do a search in Firefox searchbox:

"NoScript filtered a potential coss-site scripting (XSS) attempt from [chrome:]. Techinical details have been logged to the console."

Below is a sample of the console log during such events.



[CustomizableUI] Custom widget with id loop-button does not return a valid node CustomizableUI.jsm:166
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 1, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_utils.js:1:417
[CustomizableUI] Custom widget with id loop-button does not return a valid node CustomizableUI.jsm:166
[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/metasearch.pl] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request.


This behavior is quite disruptive and inefficient because it makes me have to click through my affected searches two times before they take effect. I love the security of NoScript, but this is a quirk that should be addressed by the developer if need be. I have raised the issue before, but nothing was discovered or corrected. It is, at the very least, an unintended consequence of the program, if not even a bug, strictly speaking.

I am perfectly willing to help work through the issue to whatever extent my noncoding skills allow. Thanks.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:43.0) Gecko/20100101 Firefox/43.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Fri Jan 08, 2016 4:52 pm

Merged your post here because it looks like this same problem you posted about before.

EDIT I see you already knew that. Please don't start multiple threads on the same subject, see Forum Rules #7 and #13 for more detail.
*Always* check the changelogs BEFORE updating that important software!
-

antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

Re: NoScript and XSS attempt from [chrome]

Post by antipop » Sat Jan 09, 2016 9:19 pm

It was certainly not my intention to upset the flow of ideas or irritate you, barbaz. My intention is to fix a clear problem with NoScript, which I use religiously to avoid other, bigger problems. Since NoScript is creating a popup message and prompting me to double my efforts to make searches in Firefox, but all the while not providing me with sufficient information in the Console as to the cause, it would seem advisable for the developer to be aware of it and to provide some guidance for resolution. I hope to bring this problem to his attention. Burying my concern at the end of a long thread, which so far has given no hint of the cause, is unproductive, and it indicates that this approach is off track.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:43.0) Gecko/20100101 Firefox/43.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Jan 09, 2016 10:42 pm

No problem antipop, I get it.
I'll ask Giorgio to take a look, hopefully he can help investigate this and/or do something about it in NoScript.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8802
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript and XSS attempt from [chrome]

Post by Giorgio Maone » Mon Jan 11, 2016 11:42 pm

This seems quite an elusive problem, unfortunately.
I'm investigating, thanks both of you for your patience.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0

antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

Re: NoScript and XSS attempt from [chrome]

Post by antipop » Sun Jan 24, 2016 4:39 pm

My default search engine in firefox is Startpage, which uses a proxy for Google and which has some settings designed to further protect searches. One of these settings is stated as "Use POST vs GET". I am not a developer, but It makes me wonder whether this procedure used by Startpage, and the fact that this is my defacto search engine in Firefox, could affect the searching procedure in such a way that NoScript would interpret it as an XSS violation?

I have disabled this option temporarily and left Startpage as the default search engine in order to test this idea further.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:43.0) Gecko/20100101 Firefox/43.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sun Jan 24, 2016 5:19 pm

You need to edit your searchplugin to make that change. Change this line

Code: Select all

<os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl">

to this

Code: Select all

<os:Url type="text/html" method="GET" template="https://startpage.com/do/metasearch.pl">


(replace POST with GET)

If you want to keep the original searchplugin as-is, and list the "GET" one separately: completely quit Firefox, copy it into the same diretory (rename it), make the change to the copy and also change this entry

Code: Select all

<os:ShortName>Startpage (SSL)</os:ShortName>
to something else, e.g.

Code: Select all

<os:ShortName>Startpage (SSL) (GET)</os:ShortName>

and when you start Firefox again it will list both.
*Always* check the changelogs BEFORE updating that important software!
-

onetime
Posts: 1
Joined: Mon Apr 11, 2016 9:45 am

Re: NoScript and XSS attempt from [chrome]

Post by onetime » Mon Apr 11, 2016 9:59 am

I'm also experiencing this. I also have a custom plugin for startpage. It triggers the anti-spam filter so I put it on a bin here https://dpaste.de/oE4C/raw.

I can reproduce the situation by looking up something on the engine, going on any of the results, then while in the result page if I try to create another search it reports that there was been an XSS attempt. It does not work on every site but it works 80% of the time for me. I'm using Arch Linux.

Here's a log of the browser console without the css messages. https://dpaste.de/qXZX/raw
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript and XSS attempt from [chrome]

Post by Thrawn » Mon Apr 11, 2016 9:35 pm

Hmm...there's very little detail in that log, just the origin (chrome), destination (startpage.com), and action (turned into GET).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Post Reply