Repeated XSS false positives on Tumblr sites

[canmom]

Tumblr is a blogging website, where users are generally given a subdomain such as username.tumblr.com.

Every time I visit a Tumblr site for the first time since the Firefox Quantum update, I get a popup warning about a potential XSS attack. Here is an example:



This is annoying, but it wouldn't be too much of a problem if I could click once to allow all such requests for that tumblr site. However, often, even after I've clicked 'always allow document requests from abc.tumblr.com to assets.tumblr.com/', I will need to click through a large number of identical popups before they will go away.

Tumblr blogs can be styled using 'themes' consisting of an HTML template. One of the options that Tumblr provides in themes is to include a 'like' button on posts, which shows as red if the person viewing the page has already 'liked' that post, and grey otherwise. When the page is served, Tumblr inserts an iFrame going to a page on the subdomain assets.tumblr.com, containing a suitably coloured 'like' button.



There may be other objects loaded by Tumblr from assets.tumblr.com in a similar way.

Additionally, Tumblr usually adds a few buttons at the top right corner on any Tumblr blog, such as a link to the Tumblr homepage, and a 'follow' button updated depending on whether the user is following the blog, or if the user owns the blog, buttons to open the page editor and change the blog settings. This is also usually implemented with an iFrame to https://www.tumblr.com/dashboard/iframe with some parameters.



I believe the reason there are so many XSS warnings is that one is immediately produced for every 'like' button the page loads and added to a stack of pending warnings, and my 'allow all' click does not automatically dismiss the pending warnings. If I visit the same Tumblr site again later having clicked the 'allow all' button, there is no problem.

It would be helpful to be able to add a rule to allow all /https?:\/\/[a-z]+\.tumblr\.com/ sites to load resources from www.tumblr.com and assets.tumblr.com, but I haven't been able to work out where to put that kind of exception rule in the WebExtension version of NoScript. It would also be helpful to add that rule to NoScript itself, so that other Tumblr users can benefit.

[parry.lost]

I get the same pop-up on Tumblr sites, and the same issue with several identical dialogue boxes being spawned, and my "always allow" or "always block" selection being ignored! I'm not really techy enough to follow the technical side of the discussion, but here is my own screen-shot. Note I already set tumblr itself to be "allowed" with NoScript.

[onigami]

Yeah, I've been getting these false positives as well, often for the very same "suspicious data" (i.e., window.name). It's frustrating to view these pages. Is there anything being done to address these false positives?

[Giorgio Maone]

You're right, the problem is multiple parallel requests triggering the filter for the same reason at once, and their prompt being enqueued all together before a response is given.
Trying to fix by serializing the prompts so that if you cancel the first (either by allowing or blocking) all those referring to the same "rule" get cancelled as well.
Hopefully this will be in next release, thank you.

[Giorgio Maone]

Please check latest development build, thanks.
v 10.1.6.3rc5
=============================================================
x Domain matching now treats unknown no-dot domains (not in
the public suffixes list) as TLDs everywhere (fix finally
not overwritten by auto-generated tld.js)
x Fixed rc4 regression causing synchronized changes not to be
persisted
x Smarter XSS popup behavior when reporting concurrent events
from/to the same origins

[Alcor]

I've been on 10.1.6.3 stable for a while now and this kept happening just as described here - a string of these popups one after another, a few still persisting if I close the page before disposing of the popup, which is what I've been doing for a bit now (because, well, it's quicker to click through 3-5 popups than 10-12), but with an additional bonus that started happening out of nowhere recently - every now and then Firefox would outright completely crash whenever I closed the tab with the "problematic" site first and then tried to get rid of the popups.

If it's fixed in one of the dev builds, well...



Can't tell what exactly triggers the crash, because it doesn't happen every time (the most recent time I also had a second browser window open with a YouTube video playing, the one before that might have been a similar case, but past that I don't trust my memory), but the XSS popup comes back every time.