XSS & Marketwatch site

Jojo999 · Post by **Jojo999** » Thu Mar 24, 2016 3:07 am

I ALWAYS get XSS warnings when I view the Marketwatch website. Like this:

https://drive.google.com/file/d/0B3aloI ... sp=sharing

Unsafe reload doesn't work because the problem keeps reappearing. X'ing them doesn't work because they keep reappearing.

Here are the errors I copied from the console. Can you tell me how to fix this permanently so I don't get these errors on the website any longer?

[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354

----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4455?ret=h ... arketWatch] requested from [http://www.marketwatch.com/story/5-thin ... teid=nwhpm]. Sanitized URL: [http://tags.bluekai.com/site/4455?ret=h ... 0914172376].
----------
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4455ret=html&limit=10&r=89200&phint=serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, pageName=MW_Article_Personal Finance|Personal Finance_228D063A-D0E9-11E5-BF9E-4FFDC1DCE796, section=MW_Personal Finance, articleType=MW_Article_Normal_Personal Finance|Personal Finance, contentType=article, contentChannel=Article, isSub=nomem, __bk_k=5 things to know about the Costco and AmEx breakup - MarketWatch
(function anonymous() {
serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Post by **barbaz** » Thu Mar 24, 2016 11:58 am

Don't know what to say about the first message. That might be a NoScript bug, not sure.
As for the others, can you please explain more how is this different from viewtopic.php?f=7&t=21542 ?

Jojo999 · Post by **Jojo999** » Thu Mar 24, 2016 8:52 pm

Sorry, forgot about that other page. I will return to that one although I was not successful in getting comments to work, which is my ultimate goal.

Elbart · Post by **Elbart** » Tue Mar 29, 2016 5:26 pm

I get the first error in the opening posting

Code: Select all

[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114 ...

by visiting http://thefamiliar.beamdog.com/5.0/#!/articles/105651 with beamdog.com NOT on the whitelist, using Firefox 24ESR and NS 2.9.0.10.

In newer Firefox, the error is not shown and I can add beamdog.com to the whitelist.
But not in 24ESR, where there's only an entry for "about:blank" in the NS-menu.
After whitelisting beamdog.com from within the NS-options, the site's loading and the error is not shown.

Post by **Thrawn** » Thu Mar 31, 2016 10:12 pm

Jojo999 wrote:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354

You are using Pale Moon (and disguising your user agent). Looks like NoScript has some difficulty with older Gecko (and, by extension, Goanna). Does it happen with the latest NoScript?

Elbart · Post by **Elbart** » Sat Apr 02, 2016 6:41 am

Thrawn wrote:
Jojo999 wrote:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
You are using Pale Moon (and disguising your user agent). Looks like NoScript has some difficulty with older Gecko (and, by extension, Goanna). Does it happen with the latest NoScript?

Tried PM 26.1.1 and NS 2.9.0.10 and couldn't trigger the XSS-warning on marketwatch.com.
Maybe it needs a special combination of whitelisted domains and settings.
EDIT: needs wsj.net and bluekai.com whitelisted, then the XSS-warning appears in both Firefox and Palemoon.
In a more recent Firefox-version, the warning does not appear.

The XSS-log-message on beamdog.com, and inability to whitelist beamdog.com from the NS-menu, is happening in Fx 24 and PM 26 using NS 2.9.0.10 either way.

PS: When the XSS-warning on marketwatch appears, the bluekai.com-domain-entry isn't listed in the NS-menu anymore, and I cannot blacklist bluekai.com this way. Is this a bug?

Post by **Thrawn** » Sun Apr 03, 2016 11:49 pm

I recommend that you completely block bluekai. Have you read the thread linked by barbaz? The fact that you don't see the XSS warnings with it blocked is a good thing.

With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?

Elbart · Post by **Elbart** » Mon Apr 04, 2016 8:04 am

Thrawn wrote:I recommend that you completely block bluekai. Have you read the thread linked by barbaz? The fact that you don't see the XSS warnings with it blocked is a good thing.

Maybe, but when it's allowed and the page is reloaded using "Unsafe Reload" after the first time the XSS-warning pops up, shouldn't the warning not appear a second, third or fourth time?
EDIT: The XSS-warning and the error in the browser-console don't appear with bluekai whitelisted when "Sanitize cross-site-suspicious requests" is disabled or http://tags.bluekai.com is added to the XSS-whitelist.

Plus there's the issue of not being able to blacklist it again from the menu.

Thrawn wrote:With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?

Where?

Firefox 24ESR and NS 2.9.0.10 still throws the error on the beamdog.com-links pasted above, yes.

EDIT:
The error-message using the the beamdog.com-link is a bit different than the one with bluekai.

beamdog:

Code: Select all

[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:148
ns.httpObserver.observe@jar:file:///C:/Users/user/AppData/Roaming/Mozilla/Firefox/Profiles/qqdyhxdm.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354

bluekai:

Code: Select all

[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///C:/Users/user/AppData/Roaming/Mozilla/Firefox/Profiles/qqdyhxdm.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354

Post by **Thrawn** » Wed Apr 06, 2016 12:18 am

Well, Firefox 24 ESR is quite old, and although several moderators (including myself) like Pale Moon, Giorgio is targeting Firefox. Does the page still work despite the errors?

Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.

Elbart · Post by **Elbart** » Fri Apr 08, 2016 11:20 am

Thrawn wrote:Well, Firefox 24 ESR is quite old

NSS is marked as supporting Firefox 13 and newer, so I don't understand this remark.

Thrawn wrote:, and although several moderators (including myself) like Pale Moon, Giorgio is targeting Firefox. Does the page still work despite the errors?

See my postings above.

Thrawn wrote:Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.

Yes, as much of an bug as not being able to whitelist beamdog.com when using the URL posted above.
The two error-messages might be related, as both cause the respective domain-entry to not be added to the NSS-dropdown-menu.

Post by **barbaz** » Fri Apr 08, 2016 2:16 pm

Elbart wrote:
Thrawn wrote:Well, Firefox 24 ESR is quite old
NSS is marked as supporting Firefox 13 and newer, so I don't understand this remark.

NoScript *does* support Firefox 13+ however in practice supported browsers based on the latest Gecko seem to get priority over the older versions. (I think Giorgio anyway recommends updating the browser to latest version.)

Elbart · Post by **Elbart** » Sun Apr 10, 2016 8:43 pm

As suspected, the XSS-errors and misbehaviors (repeated XSS-unsafe-reload-notification, no entry in the NS-menu) for both the bluekai- and beamdog-issue are the result of a regression.

Last good: 2.9.0.6rc1
First bad: 2.9.0.8rc1

The versions in between either can't be installed in 24ESR or refuse to work at all ("not installed properly" or something like that).

PS: The beamdog-issue also affects mega.nz-URLs.

Elbart · Post by **Elbart** » Fri Apr 15, 2016 8:48 am

Another example: https://www.vulnerabilitycenter.com/#!vul=55665

EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.

In 2.9.0.6rc1 this isn't happening.

To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.

Post by **barbaz** » Fri Apr 15, 2016 2:10 pm

Elbart wrote:EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.

In 2.9.0.6rc1 this isn't happening.

To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.

viewtopic.php?f=10&t=21762 ?

VIPscriptfree · Post by **VIPscriptfree** » Tue Oct 09, 2018 11:55 pm

I am getting a NoScript XSS Warning for this site https://www.marketwatch.com/
Just click the link and the warning should pop up

Red Error messages from the Error Console

Code: Select all

XML Parsing Error: no root element found
Location: https://mwstream.wsj.net/bg2/signalr/abort?transport=webSockets&clientProtocol=1.5&connectionToken=041716a9-a8bc-4519-9814-6a80505f99f8%3A&connectionData=%5B%7B%22name%22%3A%22mainhub%22%7D%5D
Line Number 1, Column 1: abort:1:1

InformAction Forums

XSS & Marketwatch site

XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site

Re: XSS & Marketwatch site