XSS and google

[Guest]

The update says the XSS issue has been fixed but it still acts up on google.co.jp, it is very annoying
I can't even do an unsafe reload as I get a blank page, a fix would be appreciated

Thanks

[GµårÐïåñ]

How about providing some information that can be used to actually discover a solution or even validate the issue is NS related.

At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.

Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.

[barbaz]

At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

I can't even do an unsafe reload as I get a blank page,

[barbaz]

Guest, please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

[GµårÐïåñ]

At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

I can't even do an unsafe reload as I get a blank page,

And? The link has always been able to be copied, you don't have to actually load it to copy it, seriously? The blank page suggests somethings else is being blocked and preventing it from loading or the original link generating the XSS is invalid to begin with or has an improper redirection.

[barbaz]

Apparently we interpreted that statement differently. I took it to mean they were redirected to a blank page so fast they couldn't do anything with the XSS notification bar.

Guest, can you please clear this up as well?

[AnotherGuest]

I'm not the same guest, but I'm getting the same xss messages when performing searches.

Console output:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=1&hl=en&origin=https://www.google.com.mx&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1503029447798&parent=https://www.google.com.mx&pfname=&rpctoken=20093748
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029447798&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=20093748] requested from [https://www.google.com.mx/search?client=firefox-b&q=macarena&oq=macarena&gs_l=psy-ab.3..0i71k1l4.0.0.0.83806.0.0.0.0.0.0.0.0..0.0....0...1..64.psy-ab..0.0.0.zGPoVB31D8A]. Sanitized URL: [https://notifications.google.com/#5238393364113552739].
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=1&hl=en&origin=https://www.google.com.mx&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1503029454331&parent=https://www.google.com.mx&pfname=&rpctoken=14126897
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029454331&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=14126897] requested from [https://www.google.com.mx/?gfe_rd=cr&ei=5miWWcevCMi1mQHs35uACQ#5238393364113552739]. Sanitized URL: [https://notifications.google.com/#37620461912841685888].

Using unsafe reload, I get this URL, but the page is blank:

Code: Select all

https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029474369&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=50778240

[barbaz]

AnotherGuest, you are not the only one reporting that XSS filter false positive - https://forums.informaction.com/viewtop ... =7&t=23196

If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -

Code: Select all

^https://notifications\.google\.com/u/0/widget\?

Or if you rather trust that google won't XSS other sites -

Code: Select all

^@https://www\.google\.com(?:\.mx)?/

Either one would go in NoScript Options > Advanced > XSS > Anti-XSS protection exceptions.

Does this help?

(no, this is not a straight copy-paste from my post in the other thread. )

[Guest]

How about providing some information that can be used to actually discover a solution or even validate the issue is NS related.

At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.

Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.

If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.

Anyway thank you barbaz, I used the first exception and I don't get the issue anymore

[barbaz]

You're welcome.

If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.

He wasn't being condescending, he was just explaining the importance of providing details when asking for help. "The XSS issue" doesn't tell us much.

Anyway, glad you got it sorted.

[mary7]

Hi, I have the same issue with Google that is my start page , in my desktop where I'm logged on Google there is the XSS alert No Script has filtered a cross site scripting attempt when I open Firefox and when I do a search. This problem appears today when I update Firefox from 55.0.1 to 55.0.2. In my husband laptop without logging no alert. This issue will be resolved?

Mary from Italy

[barbaz]

@mary7 Do the above exceptions not take care of the problem for you?

[mary7]

No, i have The same problem of this deautch user But for me is with Google.It And Not Google. De
This i An Image of The console report https://ibb.co/nmO6j5 of The Deutsch user (Now i am out And i reply with My phone)

[barbaz]

Without your exact console messages we're just guessing, but you could try this exception -

Code: Select all

^@https://www\.google\.it/

[GµårÐïåñ]

If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.

As self admitted "harsh" aside (I am not a wallflower); I wasn't and it is not condescension to expect, at the very least, basic information before being able to support something - it should go without saying.

Glad you found barbaz's response helpful, but we still don't know WHY it happened, but solution is solution and if you are happy then we are happy; but keep in mind, as barbaz already noted, the assumption for the fix is simply that YOU trust that the XSS occurring it not evil, nothing more.