XSS and google
XSS and google
The update says the XSS issue has been fixed but it still acts up on google.co.jp, it is very annoying
I can't even do an unsafe reload as I get a blank page, a fix would be appreciated
Thanks
I can't even do an unsafe reload as I get a blank page, a fix would be appreciated
Thanks
Mozilla/5.0 (Windows NT 6.1; rv:55.0) Gecko/20100101 Firefox/55.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: XSS and google
How about providing some information that can be used to actually discover a solution or even validate the issue is NS related.
At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.
Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.
Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.
At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.
Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.
Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Re: XSS and google
GµårÐïåñ wrote:At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.
Guest wrote:I can't even do an unsafe reload as I get a blank page,
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS and google
Guest, please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: XSS and google
And? The link has always been able to be copied, you don't have to actually load it to copy it, seriously? The blank page suggests somethings else is being blocked and preventing it from loading or the original link generating the XSS is invalid to begin with or has an improper redirection.barbaz wrote:GµårÐïåñ wrote:At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.Guest wrote:I can't even do an unsafe reload as I get a blank page,
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Re: XSS and google
Apparently we interpreted that statement differently. I took it to mean they were redirected to a blank page so fast they couldn't do anything with the XSS notification bar.
Guest, can you please clear this up as well?
Guest, can you please clear this up as well?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS and google
I'm not the same guest, but I'm getting the same xss messages when performing searches.
Console output:
Using unsafe reload, I get this URL, but the page is blank:
Console output:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=1&hl=en&origin=https://www.google.com.mx&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1503029447798&parent=https://www.google.com.mx&pfname=&rpctoken=20093748
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029447798&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=20093748] requested from [https://www.google.com.mx/search?client=firefox-b&q=macarena&oq=macarena&gs_l=psy-ab.3..0i71k1l4.0.0.0.83806.0.0.0.0.0.0.0.0..0.0....0...1..64.psy-ab..0.0.0.zGPoVB31D8A]. Sanitized URL: [https://notifications.google.com/#5238393364113552739].
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=1&hl=en&origin=https://www.google.com.mx&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1503029454331&parent=https://www.google.com.mx&pfname=&rpctoken=14126897
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029454331&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=14126897] requested from [https://www.google.com.mx/?gfe_rd=cr&ei=5miWWcevCMi1mQHs35uACQ#5238393364113552739]. Sanitized URL: [https://notifications.google.com/#37620461912841685888].
Code: Select all
https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029474369&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=50778240
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Re: XSS and google
AnotherGuest, you are not the only one reporting that XSS filter false positive - https://forums.informaction.com/viewtop ... =7&t=23196
If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -
Or if you rather trust that google won't XSS other sites -
Either one would go in NoScript Options > Advanced > XSS > Anti-XSS protection exceptions.
Does this help?
(no, this is not a straight copy-paste from my post in the other thread. )
If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -
Code: Select all
^https://notifications\.google\.com/u/0/widget\?
Code: Select all
^@https://www\.google\.com(?:\.mx)?/
Does this help?
(no, this is not a straight copy-paste from my post in the other thread. )
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS and google
If I knew what to post I would have posted it, I have no idea what you require or not.GµårÐïåñ wrote:How about providing some information that can be used to actually discover a solution or even validate the issue is NS related.
At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.
Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.
Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.
Anyway thank you barbaz, I used the first exception and I don't get the issue anymore
Mozilla/5.0 (Windows NT 6.1; rv:55.0) Gecko/20100101 Firefox/55.0
Re: XSS and google
You're welcome.
Anyway, glad you got it sorted.
He wasn't being condescending, he was just explaining the importance of providing details when asking for help. "The XSS issue" doesn't tell us much.Guest wrote:If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.
Anyway, glad you got it sorted.
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS and google
Hi, I have the same issue with Google that is my start page , in my desktop where I'm logged on Google there is the XSS alert No Script has filtered a cross site scripting attempt when I open Firefox and when I do a search. This problem appears today when I update Firefox from 55.0.1 to 55.0.2. In my husband laptop without logging no alert. This issue will be resolved?
Mary from Italy
Mary from Italy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Re: XSS and google
@mary7 Do the above exceptions not take care of the problem for you?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS and google
No, i have The same problem of this deautch user But for me is with Google.It And Not Google. De
This i An Image of The console report https://ibb.co/nmO6j5 of The Deutsch user (Now i am out And i reply with My phone)
This i An Image of The console report https://ibb.co/nmO6j5 of The Deutsch user (Now i am out And i reply with My phone)
Mozilla/5.0 (Linux; Android 5.0.2; SM-T535 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Safari/537.36
Re: XSS and google
Without your exact console messages we're just guessing, but you could try this exception -
Code: Select all
^@https://www\.google\.it/
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: XSS and google
As self admitted "harsh" aside (I am not a wallflower); I wasn't and it is not condescension to expect, at the very least, basic information before being able to support something - it should go without saying.Guest wrote:If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.
Glad you found barbaz's response helpful, but we still don't know WHY it happened, but solution is solution and if you are happy then we are happy; but keep in mind, as barbaz already noted, the assumption for the fix is simply that YOU trust that the XSS occurring it not evil, nothing more.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0