NoScript and XSS attempt from [chrome]

[antipop]

It looks to me as though an XSS related error appears in these, but I must admit I understand very little of this hard-core developer stuff:

Code: Select all

Could not read chrome manifest 'file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/chrome.manifest'.
SSL Observatory WARN: Failed to initialize NSS component:Error: couldn't find function symbol in library
Get a connection to permissions.sqlite.
While creating services from category 'profile-after-change', service for entry 'Sapi Speech Synth', contract ID '@mozilla.org/synthsapi;1' does not implement nsIObserver.
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:434:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:613:14
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:623:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1012:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1041:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1095:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1104:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1149:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1183:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:1208:14
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2250:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2263:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2271:10
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2413:8
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2595:12
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead noscriptOverlay.js:2905:12
[CustomizableUI] Custom widget with id loop-button does not return a valid node CustomizableUI.jsm:166
downloadable font: download not allowed (font-family: "SSStandard" style:normal weight:normal stretch:normal src index:1): content blocked source: file:///C:/Users/display/AppData/Local/Temp/maftemp-5956ce75/1449241624519_287/1427138806505_70/index_files/ss-standard_woff ss-standard.css:3:12
downloadable font: download not allowed (font-family: "SSStandard" style:normal weight:normal stretch:normal src index:2): content blocked source: urn:not-loaded:http://www.pcworld.com/www.idgcsmb/webfonts/ss-standard.ttf ss-standard.css:3:12
1449241630788	Browser.SelfSupportBackend	ERROR	_loadSelfSupport - Non HTTPS URL provided:  Log.jsm:749:0
flags argument of String.prototype.{search,match,replace} is deprecated ssl-observatory.js:321:13
nsIJSON.encode is deprecated.  Please use JSON.stringify instead. ssl-observatory.js:610:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] observatory.eff.org
nsIJSON.encode is deprecated.  Please use JSON.stringify instead. ssl-observatory.js:610:0
1449241682960	Toolkit.Telemetry	ERROR	TelemetryStorage::loadAbortedSessionPing - error removing ping: PingReadError JS Stack trace: PingReadError@TelemetryStorage.jsm:80:15 < TelemetryStorageImpl.loadPingFile<@TelemetryStorage.jsm:1448:13 Log.jsm:749:0
nsIJSON.encode is deprecated.  Please use JSON.stringify instead. ssl-observatory.js:610:0
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/metasearch.pl] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request.
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. retina_mainpage.js:3:0
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 1, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_utils.js:1:417

[barbaz]

[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/metasearch.pl] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request.

This is the related message. Please install HTTPFox, start it watching, reproduce the problem, and (if it's available) post here the logged POST data of the blocked POST request.
EDIT Preferably raw data, not prettified.

[antipop2]

barbaz,

I installed the addon, as you requested. Obviously I do not understand much of what it is up to, but I am flexible, and persistent, if you think it may help with finding the cause of this problem. When I encountered another instance of the error condition, I had the addon open with a split window so that I could see it. The best I can tell, the POST Data message that got logged was this:

bc=sm

And this happened with the following URL

https://startpage.com/tbpu?

I am beginning to wonder whether this might be related to a missing font issue from Startpage? I said that because all the GET lines on either side of it appear to relate to fonts on "startpage.com". I am only speculating of course.

[barbaz]

According to the console message, the request to inspect is a POST request to

Code: Select all

https://startpage.com/do/metasearch.pl

It wouldn't be related to missing fonts.

[antipop2]

Okay, I looked at the same line as this one: "https://startpage.com/do/metasearch.pl"

and this is what was logged in the POST Data corresponding to that line:

query=noscript+and+forum&cat=web&language=english


Kindly do let me know if you want to see something else. Thanks, again.

[barbaz]

That is what I asked to see, and I've absolutely no idea why that'd trip the XSS filter.

I'm out of ideas atm, sorry.

[antipop]

I would really like to get to the bottom of why NoScript continually pops up this warning just about every other time I do a search in Firefox searchbox:

"NoScript filtered a potential coss-site scripting (XSS) attempt from [chrome:]. Techinical details have been logged to the console."

Below is a sample of the console log during such events.



[CustomizableUI] Custom widget with id loop-button does not return a valid node CustomizableUI.jsm:166
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 1, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_utils.js:1:417
[CustomizableUI] Custom widget with id loop-button does not return a valid node CustomizableUI.jsm:166
[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/metasearch.pl] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request.


This behavior is quite disruptive and inefficient because it makes me have to click through my affected searches two times before they take effect. I love the security of NoScript, but this is a quirk that should be addressed by the developer if need be. I have raised the issue before, but nothing was discovered or corrected. It is, at the very least, an unintended consequence of the program, if not even a bug, strictly speaking.

I am perfectly willing to help work through the issue to whatever extent my noncoding skills allow. Thanks.

[barbaz]

Merged your post here because it looks like this same problem you posted about before.

EDIT I see you already knew that. Please don't start multiple threads on the same subject, see Forum Rules #7 and #13 for more detail.

[antipop]

It was certainly not my intention to upset the flow of ideas or irritate you, barbaz. My intention is to fix a clear problem with NoScript, which I use religiously to avoid other, bigger problems. Since NoScript is creating a popup message and prompting me to double my efforts to make searches in Firefox, but all the while not providing me with sufficient information in the Console as to the cause, it would seem advisable for the developer to be aware of it and to provide some guidance for resolution. I hope to bring this problem to his attention. Burying my concern at the end of a long thread, which so far has given no hint of the cause, is unproductive, and it indicates that this approach is off track.

[barbaz]

No problem antipop, I get it.
I'll ask Giorgio to take a look, hopefully he can help investigate this and/or do something about it in NoScript.

[Giorgio Maone]

This seems quite an elusive problem, unfortunately.
I'm investigating, thanks both of you for your patience.

[antipop]

My default search engine in firefox is Startpage, which uses a proxy for Google and which has some settings designed to further protect searches. One of these settings is stated as "Use POST vs GET". I am not a developer, but It makes me wonder whether this procedure used by Startpage, and the fact that this is my defacto search engine in Firefox, could affect the searching procedure in such a way that NoScript would interpret it as an XSS violation?

I have disabled this option temporarily and left Startpage as the default search engine in order to test this idea further.

[barbaz]

You need to edit your searchplugin to make that change. Change this line

Code: Select all

<os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl">

to this

Code: Select all

<os:Url type="text/html" method="GET" template="https://startpage.com/do/metasearch.pl">

(replace POST with GET)

If you want to keep the original searchplugin as-is, and list the "GET" one separately: completely quit Firefox, copy it into the same diretory (rename it), make the change to the copy and also change this entry

Code: Select all

<os:ShortName>Startpage (SSL)</os:ShortName>

to something else, e.g.

Code: Select all

<os:ShortName>Startpage (SSL) (GET)</os:ShortName>

and when you start Firefox again it will list both.

[onetime]

I'm also experiencing this. I also have a custom plugin for startpage. It triggers the anti-spam filter so I put it on a bin here https://dpaste.de/oE4C/raw.

I can reproduce the situation by looking up something on the engine, going on any of the results, then while in the result page if I try to create another search it reports that there was been an XSS attempt. It does not work on every site but it works 80% of the time for me. I'm using Arch Linux.

Here's a log of the browser console without the css messages. https://dpaste.de/qXZX/raw

[Thrawn]

Hmm...there's very little detail in that log, just the origin (chrome), destination (startpage.com), and action (turned into GET).