Firstly, I would like to notice, that there will be two questions but both are related with one issue.
A couple of days ago, I wanted to check some MuPDF commits. On May, 16. a few vulnerabilities has been discovered etc. However, clicking on a link with git in address, resulted in NoScript's XSS Warning window. Here is an example of such link: https://git.example.com - it seems, that this form of website address is responsible for mentioned XSS window. Here is a window, that appears when I click on the link with git:
Code: Select all
NoScript XSS Warning
NoScript detected a potential Cross-Site Scripting attack
from https://lwn.net to https://git.ghostscript.com.
Suspicious data:
(URL) https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=b03def134988da8c800adac1a38a41a1f09a1d89
(o) Block this request
( ) Always block document requests from https://lwn.net to https://git.ghostscript.com
( ) Allow this request
( ) Always allow document requests from https://lwn.net to https://git.ghostscript.com
[ OK ]
I'm sorry, but unfortunately, I cannot attach a screenshot. Here are some links to reproduce this issue. Let's see:
✗ https://git.ghostscript.com/?p=mupdf.gi ... 6e7eb969ec
✗ https://git.ghostscript.com/?p=mupdf.gi ... a1f09a1d89
✗ https://git.ghostscript.com/?p=mupdf.gi ... ad11763384
XSS Warning window appears when: 1/ User click on a link directly from the website on which these links are located (see NoScript XSS Warning window above[/i]) and 2/ User paste one of the above link directly in the Firefox address bar.
So, is this normal, that it is impossible to open such websites/links without XSS Warning window? Is this a bug?
By the way: there is also one more thing related with XSS Warning window. I have no idea when it started to happen, maybe it was always there? So, it is about Firefox title bar and XSS Warning window. When such warning window is displayed, we can notice that NoScript is repeated twice. Because I can not paste screenshot, I will show how it looks like via <code></code> tag:
Code: Select all
moz-extension://string-of-letters-and-numbers - NoScript NoScript XSS Warning - Mozilla Firefox
Mr Giorgio: can you make one of the NoScript to disappear? If Firefox adds one NoScript, because of moz-extension string, maybe You can make some changes, for example, in:
✓ ns.log('NoScript XSS Warning');
✓ msg = "NoScript XSS Warning"
And remove NoScript, so it would not be shown twice etc. But these are just my loose thoughts...
Thanks, best regards.