recurring XSS popup??

Ask for help about NoScript, no registration needed to post
negativeions

recurring XSS popup??

Post by negativeions » Tue Nov 21, 2017 10:07 am

I forgot to mention, on my install, no script kept showing a pop up window for sanitizing XSS. How do I make it save the settings? Christ sakes...... :P
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0

lancelot

Re: recurring XSS popup??

Post by lancelot » Tue Nov 21, 2017 10:38 am

Same issue here. As an example, I have www . imdb . com allowed and www . facebook . com not allowed. Every imdb page gives me a popup window:

NoScript detected a potential Cross-Site Scripting attack
from http :// www . imdb . com to https :// www . facebook . com.
Suspicious data:
window.name
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

No longer remember

Re: recurring XSS popup??

Post by No longer remember » Tue Nov 21, 2017 6:24 pm

Aside from the one about facebook, for which the "allow and remember" option was acceptable,
there are others (eg stags.bluekai.com) that ought to have no popup, by virtue of having been classified by me as Untrusted.
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

lancelot

Re: recurring XSS popup??

Post by lancelot » Sat Dec 02, 2017 9:14 am

At least there's an option now to set it to "always block". But I think an "always block" global default is still needed. I had to click "aways block" six times for one site already.
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

ohdada_yupie
Posts: 1
Joined: Sat Dec 02, 2017 9:31 am

Re: recurring XSS popup??

Post by ohdada_yupie » Sat Dec 02, 2017 9:34 am

Same here!

Image

I get those warning when I click on google search links or when I go on duckduckgo.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am

Re: recurring XSS popup??

Post by juozas » Sat Dec 02, 2017 12:33 pm

On some sites, e.g. some tumblr pages with custom themes, there might be repeating same XSS, clicking always allow doesn't solve problem until reload, as the same XSS repeats, popup dialog that stays always on top is not minimizable even when the tab is NOT on focus which is annoying, not mentioning blank window bug only solved by right click.
Edit: Settings aren't saved across restarts somehow, also browsing storage-sync.sqlite with sqlite editor program I couldn't find a record (table row) with "key-xssWhitelist" in record_id column with configuration stored in record column in the collection_data table. Previous versions of NoScript did store this data properly.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

lancelot

Re: recurring XSS popup??

Post by lancelot » Sat Dec 02, 2017 11:53 pm

I've just noticed that too: when I quit and restart Firefox, I'm getting the same XSS popups on the same site about the same https://www.facebook.com that I've already clicked "Always block" on.
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

aussiebill
Posts: 5
Joined: Sun Nov 19, 2017 12:46 am

Re: recurring XSS popup??

Post by aussiebill » Sun Dec 03, 2017 1:50 am

I think this might be a reflection on how Firefox runs . If you look in the task manager FF is opened 4 times thus allowing memory to be cached in case of dropouts.
Maybe this is where Noscript is being caught up too. Running with FF at 4 times it could be trying to block all the other versions of FF too. If you get a XSS script warning shutdown FF and re-open it ,XSS should still be present as it switches another FF running in the background.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

User avatar
juozas
Junior Member
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am

Re: recurring XSS popup??

Post by juozas » Sun Dec 03, 2017 6:02 am

Just updated NoScript to 10.1.5.3 on one of my test profiles. When I visit affected site with multiple XSS of same kind, adding exception to first one doesn't stop the other one's triggering XSS popup that repeats even after closing tab or exiting the browser. Wery annoying. Also exceptions doesn't remain after restart, which is even more annoying.
The browser window after restart (last "window" was XSS popup):
Image
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

lancelot

Re: recurring XSS popup??

Post by lancelot » Sun Dec 03, 2017 12:33 pm

And apparently 10.1.5.3 just wiped my XSS choices? I haven't restarted Firefox, just updated NoScript, and "Clear XSS user choices" is grayed out.
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

George Valitsas

Re: recurring XSS popup??

Post by George Valitsas » Sun Dec 03, 2017 1:10 pm

Same here, XSS does not remember always allow or always block choices when I close firefox and start again. So the same message pops up again! Firefox is set to never remember history, I don't know whether this is relevant or not.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

lancelot

Re: recurring XSS popup??

Post by lancelot » Sun Dec 10, 2017 2:42 pm

XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

mvenl

Re: recurring XSS popup??

Post by mvenl » Wed Dec 13, 2017 11:58 am

Always allow choice is still not remembered. This is not good as it might tempt people to just disable the XSS check alltogether.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

lancelot

Re: recurring XSS popup??

Post by lancelot » Mon Dec 18, 2017 8:02 pm

lancelot wrote:XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.
Besides, if I click "Always block" on the warning saying "from [...] to http://www.imdb.com", I get locked out of imdb, I cannot even open the main page www.imdb.com, even though that page hasn't been giving me a warning with the literal [...].

So it seems like a global default isn't even possible because of this.
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

lancelot

Re: recurring XSS popup??

Post by lancelot » Sat Jan 27, 2018 6:27 pm

lancelot wrote:
lancelot wrote:XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.
Besides, if I click "Always block" on the warning saying "from [...] to http://www.imdb.com", I get locked out of imdb, I cannot even open the main page www.imdb.com, even though that page hasn't been giving me a warning with the literal [...].

So it seems like a global default isn't even possible because of this.
Additionally, if I temporarily block the request "from [...] to http://www.imdb.com" (whatever that means), that apparently blocks some fonts as well:

Image

This is how the page should like:

Image
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0

Post Reply