XSS & Marketwatch site
XSS & Marketwatch site
I ALWAYS get XSS warnings when I view the Marketwatch website. Like this:
https://drive.google.com/file/d/0B3aloI ... sp=sharing
Unsafe reload doesn't work because the problem keeps reappearing. X'ing them doesn't work because they keep reappearing.
Here are the errors I copied from the console. Can you tell me how to fix this permanently so I don't get these errors on the website any longer?
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4455?ret=h ... arketWatch] requested from [http://www.marketwatch.com/story/5-thin ... teid=nwhpm]. Sanitized URL: [http://tags.bluekai.com/site/4455?ret=h ... 0914172376].
----------
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4455ret=html&limit=10&r=89200&phint=serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, pageName=MW_Article_Personal Finance|Personal Finance_228D063A-D0E9-11E5-BF9E-4FFDC1DCE796, section=MW_Personal Finance, articleType=MW_Article_Normal_Personal Finance|Personal Finance, contentType=article, contentChannel=Article, isSub=nomem, __bk_k=5 things to know about the Costco and AmEx breakup - MarketWatch
(function anonymous() {
serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
https://drive.google.com/file/d/0B3aloI ... sp=sharing
Unsafe reload doesn't work because the problem keeps reappearing. X'ing them doesn't work because they keep reappearing.
Here are the errors I copied from the console. Can you tell me how to fix this permanently so I don't get these errors on the website any longer?
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4455?ret=h ... arketWatch] requested from [http://www.marketwatch.com/story/5-thin ... teid=nwhpm]. Sanitized URL: [http://tags.bluekai.com/site/4455?ret=h ... 0914172376].
----------
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4455ret=html&limit=10&r=89200&phint=serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, pageName=MW_Article_Personal Finance|Personal Finance_228D063A-D0E9-11E5-BF9E-4FFDC1DCE796, section=MW_Personal Finance, articleType=MW_Article_Normal_Personal Finance|Personal Finance, contentType=article, contentChannel=Article, isSub=nomem, __bk_k=5 things to know about the Costco and AmEx breakup - MarketWatch
(function anonymous() {
serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: XSS & Marketwatch site
Don't know what to say about the first message. That might be a NoScript bug, not sure.
As for the others, can you please explain more how is this different from viewtopic.php?f=7&t=21542 ?
As for the others, can you please explain more how is this different from viewtopic.php?f=7&t=21542 ?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS & Marketwatch site
Sorry, forgot about that other page. I will return to that one although I was not successful in getting comments to work, which is my ultimate goal.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: XSS & Marketwatch site
I get the first error in the opening posting
by visiting http://thefamiliar.beamdog.com/5.0/#!/articles/105651 with beamdog.com NOT on the whitelist, using Firefox 24ESR and NS 2.9.0.10.
In newer Firefox, the error is not shown and I can add beamdog.com to the whitelist.
But not in 24ESR, where there's only an entry for "about:blank" in the NS-menu.
After whitelisting beamdog.com from within the NS-options, the site's loading and the error is not shown.
Code: Select all
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114 ...
In newer Firefox, the error is not shown and I can add beamdog.com to the whitelist.
But not in 24ESR, where there's only an entry for "about:blank" in the NS-menu.
After whitelisting beamdog.com from within the NS-options, the site's loading and the error is not shown.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: XSS & Marketwatch site
You are using Pale Moon (and disguising your user agent). Looks like NoScript has some difficulty with older Gecko (and, by extension, Goanna). Does it happen with the latest NoScript?Jojo999 wrote:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS & Marketwatch site
Thrawn wrote:You are using Pale Moon (and disguising your user agent). Looks like NoScript has some difficulty with older Gecko (and, by extension, Goanna). Does it happen with the latest NoScript?Jojo999 wrote:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
Maybe it needs a special combination of whitelisted domains and settings.
EDIT: needs wsj.net and bluekai.com whitelisted, then the XSS-warning appears in both Firefox and Palemoon.
In a more recent Firefox-version, the warning does not appear.
The XSS-log-message on beamdog.com, and inability to whitelist beamdog.com from the NS-menu, is happening in Fx 24 and PM 26 using NS 2.9.0.10 either way.
PS: When the XSS-warning on marketwatch appears, the bluekai.com-domain-entry isn't listed in the NS-menu anymore, and I cannot blacklist bluekai.com this way. Is this a bug?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: XSS & Marketwatch site
I recommend that you completely block bluekai. Have you read the thread linked by barbaz? The fact that you don't see the XSS warnings with it blocked is a good thing.
With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?
With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS & Marketwatch site
Maybe, but when it's allowed and the page is reloaded using "Unsafe Reload" after the first time the XSS-warning pops up, shouldn't the warning not appear a second, third or fourth time?Thrawn wrote:I recommend that you completely block bluekai. Have you read the thread linked by barbaz? The fact that you don't see the XSS warnings with it blocked is a good thing.
EDIT: The XSS-warning and the error in the browser-console don't appear with bluekai whitelisted when "Sanitize cross-site-suspicious requests" is disabled or http://tags.bluekai.com is added to the XSS-whitelist.
Plus there's the issue of not being able to blacklist it again from the menu.
Where?Thrawn wrote:With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?
Firefox 24ESR and NS 2.9.0.10 still throws the error on the beamdog.com-links pasted above, yes.
EDIT:
The error-message using the the beamdog.com-link is a bit different than the one with bluekai.
beamdog:
Code: Select all
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:148
ns.httpObserver.observe@jar:file:///C:/Users/user/AppData/Roaming/Mozilla/Firefox/Profiles/qqdyhxdm.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
Code: Select all
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///C:/Users/user/AppData/Roaming/Mozilla/Firefox/Profiles/qqdyhxdm.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: XSS & Marketwatch site
Well, Firefox 24 ESR is quite old, and although several moderators (including myself) like Pale Moon, Giorgio is targeting Firefox. Does the page still work despite the errors?
Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.
Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS & Marketwatch site
NSS is marked as supporting Firefox 13 and newer, so I don't understand this remark.Thrawn wrote:Well, Firefox 24 ESR is quite old
See my postings above.Thrawn wrote:, and although several moderators (including myself) like Pale Moon, Giorgio is targeting Firefox. Does the page still work despite the errors?
Yes, as much of an bug as not being able to whitelist beamdog.com when using the URL posted above.Thrawn wrote:Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.
The two error-messages might be related, as both cause the respective domain-entry to not be added to the NSS-dropdown-menu.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: XSS & Marketwatch site
NoScript *does* support Firefox 13+ however in practice supported browsers based on the latest Gecko seem to get priority over the older versions. (I think Giorgio anyway recommends updating the browser to latest version.)Elbart wrote:NSS is marked as supporting Firefox 13 and newer, so I don't understand this remark.Thrawn wrote:Well, Firefox 24 ESR is quite old
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS & Marketwatch site
As suspected, the XSS-errors and misbehaviors (repeated XSS-unsafe-reload-notification, no entry in the NS-menu) for both the bluekai- and beamdog-issue are the result of a regression.
Last good: 2.9.0.6rc1
First bad: 2.9.0.8rc1
The versions in between either can't be installed in 24ESR or refuse to work at all ("not installed properly" or something like that).
PS: The beamdog-issue also affects mega.nz-URLs.
Last good: 2.9.0.6rc1
First bad: 2.9.0.8rc1
The versions in between either can't be installed in 24ESR or refuse to work at all ("not installed properly" or something like that).
PS: The beamdog-issue also affects mega.nz-URLs.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: XSS & Marketwatch site
Another example: https://www.vulnerabilitycenter.com/#!vul=55665
EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.
In 2.9.0.6rc1 this isn't happening.
To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.
EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.
In 2.9.0.6rc1 this isn't happening.
To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: XSS & Marketwatch site
viewtopic.php?f=10&t=21762 ?Elbart wrote:EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.
In 2.9.0.6rc1 this isn't happening.
To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 6
- Joined: Wed Nov 22, 2017 5:39 pm
Re: XSS & Marketwatch site
I am getting a NoScript XSS Warning for this site https://www.marketwatch.com/
Just click the link and the warning should pop up
Red Error messages from the Error Console
Just click the link and the warning should pop up
Red Error messages from the Error Console
Code: Select all
XML Parsing Error: no root element found
Location: https://mwstream.wsj.net/bg2/signalr/abort?transport=webSockets&clientProtocol=1.5&connectionToken=041716a9-a8bc-4519-9814-6a80505f99f8%3A&connectionData=%5B%7B%22name%22%3A%22mainhub%22%7D%5D
Line Number 1, Column 1: abort:1:1
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0