XSS exception at blogger
XSS exception at blogger
Since a few days I am getting the alert of "cross-site scripting" when editing my blog at blogger (https://draft.blogger.com).
I added the exception but it seems not working. The alert is still there-
Thanks
BTW. Now I am having problem also with google.it
If not solved I am forced to unistall noscript from all my macs
I added the exception but it seems not working. The alert is still there-
Thanks
BTW. Now I am having problem also with google.it
If not solved I am forced to unistall noscript from all my macs
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS exception at blogger
What exception?maurix wrote:I added the exception but it seems not working. The alert is still there-
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
Because of XSS alerts? No you are not. If you don't have time to troubleshoot, just go to NoScript Options > Advanced > XSS and un-check both boxes. Remember to enable them again when you're done.maurix wrote:If not solved I am forced to unistall noscript from all my macs
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 9
- Joined: Sun Nov 06, 2016 2:34 pm
XSS exception at blogger: again
Dear friends,
I have just read this post: viewtopic.php?f=7&t=23196
I have the same problem and I have tried to describe it there within the italian Mozilla Forum:
https://forum.mozillaitalia.org/index.p ... #msg479717
I am not familiar with regular expressions and I really do not know how to build an exception for Blogger.
This is what my console shows:
Is there anyone who can help me in building this exception for Blogger?
Thanks a lot for any help, Paolo from Italia.
---
Dear barbaz, thanks a lot for your patience, I am a newbie of this forum, sorry for the inconveniences.
Anyway, everything ok with Google and Blogger now with No Script 5.0.9
I have just read this post: viewtopic.php?f=7&t=23196
I have the same problem and I have tried to describe it there within the italian Mozilla Forum:
https://forum.mozillaitalia.org/index.p ... #msg479717
I am not familiar with regular expressions and I really do not know how to build an exception for Blogger.
This is what my console shows:
Code: Select all
channel.URI is undefined WebRequest.jsm:834
Caricamento non riuscito per lo <script> con sorgente “https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js”. blogger.g:12
L’utilizzo di Mutation Events è deprecato. Al suo posto utilizzare MutationObserver. 3652162377-ed__it.js:95:728
[NoScript InjectionChecker] JavaScript Injection in ///u/0/_/widget/render/autocomplete?origin=https://www.blogger.com&inparent=true&hl=it&source=wmtn:blogger&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#rpctoken=408019398&_methods=onstatechange,_ready,_close,_open,_resizeMe,_renderstart&id=I1_1502903908507&parent=https://www.blogger.com&pfname=
(function anonymous(
) {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://apis.google.com/u/0/_/widget/render/autocomplete?origin=https%3A%2F%2Fwww.blogger.com&inparent=true&hl=it&source=wmtn%3Ablogger&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#rpctoken=408019398&_methods=onstatechange%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart&id=I1_1502903908507&parent=https%3A%2F%2Fwww.blogger.com&pfname=] richiesto da [https://www.blogger.com/blogger.g?blogID=1806070156304911122#editor]. URL filtrato: [https://apis.google.com/#3149938400639374184].
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=30&hl=it&origin=https://www.blogger.com&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1502903910385&parent=https://www.blogger.com&pfname=&rpctoken=14374962
(function anonymous(
) {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://notifications.google.com/u/0/widget?sourceid=30&hl=it&origin=https%3A%2F%2Fwww.blogger.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1502903910385&parent=https%3A%2F%2Fwww.blogger.com&pfname=&rpctoken=14374962] richiesto da [https://www.blogger.com/blogger.g?blogID=1806070156304911122#editor]. URL filtrato: [https://notifications.google.com/#7649496606835314410].
Problema di sicurezza: i contenuti in https://www.google.it/?gfe_rd=cr&ei=Zn6UWZ4p5sZekaiB-Ac#7649496606835314410 non possono caricare dati da https://www.blogger.com/blogger.g?blogID=1806070156304911122#editor.
Load denied by X-Frame-Options: https://www.google.it/?gfe_rd=cr&ei=Zn6UWZ4p5sZekaiB-Ac#7649496606835314410 does not permit cross-origin framing. (sconosciuto)
Thanks a lot for any help, Paolo from Italia.
---
Dear barbaz, thanks a lot for your patience, I am a newbie of this forum, sorry for the inconveniences.
Anyway, everything ok with Google and Blogger now with No Script 5.0.9
Last edited by GagliaudO16 on Fri Aug 25, 2017 12:21 pm, edited 2 times in total.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Re: XSS exception at blogger
thanksbarbaz wrote:
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
This part of the message copied from the consolle
Code: Select all
.......
ReferenceError: $ is not defined
memory:2357:1
[ABE WAN] Trying to detect WAN IP...
[ABE WAN] Detected WAN IP 82.84.163.219
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=30&hl=it&origin=https://draft.blogger.com&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1502916716420&parent=https://draft.blogger.com&pfname=&rpctoken=92543464
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://notifications.google.com/u/0/widget?sourceid=30&hl=it&origin=https%3A%2F%2Fdraft.blogger.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1502916716420&parent=https%3A%2F%2Fdraft.blogger.com&pfname=&rpctoken=92543464] richiesto da [https://draft.blogger.com/blogger.g?blogID=7973958946267130001]. URL filtrato: [https://notifications.google.com/#499448842847718232].
Problema di sicurezza: i contenuti in https://www.google.it/?gfe_rd=cr&ei=b7CUWZjEFszCXr2xg9gI#499448842847718232 non possono caricare dati da https://draft.blogger.com/blogger.g?blogID=7973958946267130001.
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=30&hl=it&origin=https://draft.blogger.com&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1502916852031&parent=https://draft.blogger.com&pfname=&rpctoken=36546424
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://notifications.google.com/u/0/widget?sourceid=30&hl=it&origin=https%3A%2F%2Fdraft.blogger.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1502916852031&parent=https%3A%2F%2Fdraft.blogger.com&pfname=&rpctoken=36546424] richiesto da [https://draft.blogger.com/blogger.g?blogID=7973958946267130001#allposts]. URL filtrato: [https://notifications.google.com/#9747596518687717305].
Problema di sicurezza: i contenuti in https://www.google.it/?gfe_rd=cr&ei=97CUWeKEKMzCXr2xg9gI#9747596518687717305 non possono caricare dati da https://draft.blogger.com/blogger.g?blogID=7973958946267130001#allposts.
Load denied by X-Frame-Options: https://www.google.it/?gfe_rd=cr&ei=97CUWeKEKMzCXr2xg9gI#9747596518687717305 does not permit cross-origin framing. <sconosciuto>
OpenGL compositor Initialized Succesfully.
Version: 1.4 APPLE-1.6.36
Vendor: Intel Inc.
Renderer: Intel GMA 950 OpenGL Engine
FBO Texture Target: TEXTURE_2D
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS exception at blogger
Threads merged. GagliaudO16, please do not start duplicate threads, it makes it harder to address the issue at hand.
___
I think it's a false positive. There are two different exceptions you could make, pick only one.
If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -
Or if you rather trust that blogger.com won't XSS other sites -
Either one would go in NoScript Options > Advanced > XSS > Anti-XSS protection exceptions.
Does this help?
___
I think it's a false positive. There are two different exceptions you could make, pick only one.
If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -
Code: Select all
^https://notifications\.google\.com/.*\?.*origin=https%3A%2F%2F(?:draft|www)\.blogger\.com&
Code: Select all
^@https://(?:draft|www)\.blogger\.com/blogger\.g?
Does this help?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS exception at blogger
thanks, I'll add the exception rule in the early afternoon.
I don't know if this matters but I've just realized that I got the XSS alert if, and only if, I am logged to google (and therefore to Blogger). Meaning that if I open the page google.it as a guest (unlogged), everything is ok. In the very same moment I log in the XSS alert pops up.
I don't know if this matters but I've just realized that I got the XSS alert if, and only if, I am logged to google (and therefore to Blogger). Meaning that if I open the page google.it as a guest (unlogged), everything is ok. In the very same moment I log in the XSS alert pops up.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS exception at blogger
Sorry to say that none of the exceptions works for google. Tried each of them alone or together and still, after restarting FF, I got the xss alert.
No prob with blogger.
Should I rename somehow the above instructions for Google?
No prob with blogger.
Should I rename somehow the above instructions for Google?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS exception at blogger
see https://forums.informaction.com/viewtop ... =7&t=23204maurix wrote:Sorry to say that none of the exceptions works for google. Tried each of them alone or together and still, after restarting FF, I got the xss alert.
No prob with blogger.
Should I rename somehow the above instructions for Google?
@mary7 please do not cross-post, it makes it harder to help you.
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS exception at blogger
Do you still need the XSS exceptions with NoScript latest development build 5.0.9rc2?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS exception at blogger
Actually I don't know because now everything is working properly (I have add both the blogger and google.it exceptions to the XSS rule). I am still using 5.0.8.1 because it is the latest available for my FFoxbarbaz wrote:Do you still need the XSS exceptions with NoScript latest development build 5.0.9rc2?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:45.0) Gecko/20100101 Firefox/45.0