Keep getting XSS warning when I open my browser

[JJ]

I keep getting a XSS warning every time I start firefox. It is from the same website. I went there once, but haven't been back. I'm worried I either got some sort of virus or this is a NoScript bug. Hopefully it is the later.

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://tempostorm.com.

Suspicious data:

(URL) https://tempostorm.com/{{ metaservice.ogMetaImage() }}

[Pansa]

I keep getting a XSS warning every time I start firefox. It is from the same website. I went there once, but haven't been back. I'm worried I either got some sort of virus or this is a NoScript bug. Hopefully it is the later.

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://tempostorm.com.

Suspicious data:

(URL) https://tempostorm.com/{{ metaservice.ogMetaImage() }}

Does your FF open to a blank page, or the "hub" page where they show you a lot of links you may want to visit?
Potentially it loads part of that page for that hub.

But it also means you gave [...] script permissions to begin with, because if it weren't allowed to run scripts, it wouldn't be allowed to crosscript to begin with.
Go to the Noscript options find [...] and look at what it is set to. If it isn't there, check what permissions the "default" preset has (you usually want default to have NO permissions)

If you still think something messed with your FF that way, I like "adwcleaner" for that. It's not a virusscanner, but it finds that kind of chicanery quite well. It's lightweight, no install, run on demand and has recently been bought by the malwarebytes folk.

[barbaz]

it also means you gave [...] script permissions to begin with, because if it weren't allowed to run scripts, it wouldn't be allowed to crosscript to begin with.

Nope, XSS can happen without the malicious site being Allowed. IIRC NoScript Classic actually uses a stricter XSS filter for requests originating from untrusted sites, than for requests originating from trusted sites.

See https://forums.informaction.com/viewtop ... 942#p91942 for a short explanation of what XSS is.

[Pansa]

it also means you gave [...] script permissions to begin with, because if it weren't allowed to run scripts, it wouldn't be allowed to cross-script to begin with.

Nope, XSS can happen without the malicious site being Allowed. IIRC NoScript Classic actually uses a stricter XSS filter for requests originating from untrusted sites, than for requests originating from trusted sites.

See "link" for a short explanation of what XSS is.

Err, no, just about every site uses javascript from another domain and it's not an attack situation. XSS is when a malicious site injects its Javascript code into another site, e g your bank, and your bank site then runs the malicious code in its own context, i.e. as though the malicious site's injected code were part of the bank site's own code. Your browser is the vector for this injection.

That is exactly what I mean.
In that example if I block the Bank's scripts, there shouldn't be an attack to begin with. It runs in the Bank's context. If I allow the bank, the attack is that I inadvertently allow someone else who injected something.

he wrote

from [...] to storm

I assume the [...] means a site he is not comfortable disclosing here.

I checked on imdb (which uses xss to call it's advertising network *hmpf*)
And the XSS warning comes up although I have BOTH on untrusted (for testing).

My question is why is NS warning me of something running in the imdb context, if I explicitly don't want imdb to execute ANY scripts (injected or not)?
I assume that is pointing back to the missing noscript tag?

[Azijn]

I assume the [...] means a site he is not comfortable disclosing here.

Nope. It literally says [...]/

I get the same thing for a newspaper site (nrc.nl). For some reason it's always the same site:

This is the full text of the pop-up I keep getting.
---
NoScript detected a potential Cross-Site Scripting attack

from [...] to https://images.nrc.nl.

Suspicious data:

(URL) https://images.nrc.nl/mszTFGmkKoXHIjgT- ... 1/geld.png
---

Interestingly when I don't even have anything related to the newspaper site open.

[grizzler]

NoScript's XSS handling is broken. On my system, it can't be switched off and keeps interfering as long as the add-on is installed, even if it's switched off in the add-on manager. On top op that, its popups are empty here. No text at all. I was forced to remove NoScript completely to be able to log in to a work related site.

[Pansa]

I assume the [...] means a site he is not comfortable disclosing here.

Nope. It literally says [...]/

I get the same thing for a newspaper site (nrc.nl). For some reason it's always the same site:

This is the full text of the pop-up I keep getting.
---
NoScript detected a potential Cross-Site Scripting attack

from [...] to https://images.nrc.nl.

Suspicious data:

(URL) https://images.nrc.nl/mszTFGmkKoXHIjgT- ... 1/geld.png
---

Interestingly when I don't even have anything related to the newspaper site open.

I am a bit confused now.
When you open firefox you get TWO immediate popups?

And you seem to have skipped my initial response up there.
Both those seem to load an image form otherwise "normal" webpages. If they do that without you actually BEING on that page knowingly, either it is prefetching those pages (based on you already having been there (In which case the Firefox "starting page" may be the culprit, the one with pages you might find interesting or have visited) or something else.

NoScript's XSS handling is broken. On my system, it can't be switched off and keeps interfering as long as the add-on is installed, even if it's switched off in the add-on manager. On top op that, its popups are empty here. No text at all. I was forced to remove NoScript completely to be able to log in to a work related site.

This seems like a "linux" problem. There are some other threads about layout problems with linux/ubuntu

[Azijn]

@Pansa, apologies for the confusion. I just registered, and I'm the 'guest' from the second post, but a different person from the original poster JJ.

If they do that without you actually BEING on that page knowingly, either it is prefetching those pages (based on you already having been there (In which case the Firefox "starting page" may be the culprit

I think you're on the money there. After having surfed a bit on other pages, the pop-up stopped happening from one page (nrc.nl), but started appearing for a different page! I have now disabled the 'starting page' content, and am no longer experiencing the issue.

[rugk]

Had a similar issue: https://forums.informaction.com/viewtop ... =7&t=23870

The actual issue is just the website having a broken SEO/metatag for image or description.(respectively using a JS templating system for their SEO information) When Firefox then tries to load this, it tries to load it with these curly brackets ("{{ templae }}") in the URL and NoScript detects this as a potential XSS attack – which it of course is not, in this case.