(S) v10: XSS Warning - Suspicious data and (URL) https://git

[fenix]

Hello.

Firstly, I would like to notice, that there will be two questions but both are related with one issue.

A couple of days ago, I wanted to check some MuPDF commits. On May, 16. a few vulnerabilities has been discovered etc. However, clicking on a link with git in address, resulted in NoScript's XSS Warning window. Here is an example of such link: https://git.example.com - it seems, that this form of website address is responsible for mentioned XSS window. Here is a window, that appears when I click on the link with git:

Code: Select all

NoScript XSS Warning

NoScript detected a potential Cross-Site Scripting attack
from https://lwn.net to https://git.ghostscript.com.
Suspicious data:
(URL) https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=b03def134988da8c800adac1a38a41a1f09a1d89

		    (o) Block this request
		    (  ) Always block document requests from https://lwn.net to https://git.ghostscript.com
		    (  ) Allow this request
		    (  ) Always allow document requests from https://lwn.net to https://git.ghostscript.com

				    [ OK ]

I'm sorry, but unfortunately, I cannot attach a screenshot. Here are some links to reproduce this issue. Let's see:

✗ https://git.ghostscript.com/?p=mupdf.gi ... 6e7eb969ec
✗ https://git.ghostscript.com/?p=mupdf.gi ... a1f09a1d89
✗ https://git.ghostscript.com/?p=mupdf.gi ... ad11763384

XSS Warning window appears when: 1/ User click on a link directly from the website on which these links are located (see NoScript XSS Warning window above[/i]) and 2/ User paste one of the above link directly in the Firefox address bar.

So, is this normal, that it is impossible to open such websites/links without XSS Warning window? Is this a bug?

By the way: there is also one more thing related with XSS Warning window. I have no idea when it started to happen, maybe it was always there? So, it is about Firefox title bar and XSS Warning window. When such warning window is displayed, we can notice that NoScript is repeated twice. Because I can not paste screenshot, I will show how it looks like via <code></code> tag:

Code: Select all

moz-extension://string-of-letters-and-numbers - NoScript NoScript XSS Warning - Mozilla Firefox

Mr Giorgio: can you make one of the NoScript to disappear? If Firefox adds one NoScript, because of moz-extension string, maybe You can make some changes, for example, in:

✓ ns.log('NoScript XSS Warning');
✓ msg = "NoScript XSS Warning"

And remove NoScript, so it would not be shown twice etc. But these are just my loose thoughts...

Thanks, best regards.

[Giorgio Maone]

It is a false positive, due to the URL structure accidentally triggering a "multiple assignment with dot notation" rule in a syntactically valid JavaScript fragment:

Code: Select all

[NoScript] [InjectionChecker]  JavaScript Injection in ///?p=mupdf.git;a=commitdiff;h=3e30fbb7bf5efd88df431e366492356e7eb969[url=https://developer.mozilla.org/en/Browser Console]Browser Console (Ctrl+Shift+J)[/url]
(function anonymous(
) {
p=mupdf.git;a=commitdiff /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

I'm not quite sure if I can make this more specific / less sensitive without introducing false negatives, but I'll try.

In the meanwhile you could select the "Allow all document requests from lwn.net to git.ghostscript.com" box, if you trust either lwn.net not to be malicious, git.ghostscript.com not to be vulnerable to XSS or, even better, both.

Regarding your second observation, yes, if "NoScript" gets automatically added to the title of windows constaining its moz-extensions: URL removing some redundancy is a good idea.

[fenix]

Hello.

Thank You for an answer and for the explanation of this issue, Mr Maone. You've written, that I could select the "Allow all document requests from lwn.net to git.ghostscript.com" box, right? However, as we can see there is not an option to - mentioned by You - "Allow all document..." on the XSS Warning window etc. Instead, there is an option to "Always allow document... - an Always word is very important here, in such situation, because it means to always allow such requests, right?

And in light of what You've written: "if you trust either lwn.net not to be malicious, git.ghostscript.com not to be vulnerable to XSS, the "Always allow" option seems to not be a very good choice etc.

Is that a small mistake and you wanted to write: "In the meanwhile you could select the "Always allow all document requests..."? I want to remind that XSS Warning window offers an option to "Always allow..." and not "Allow all..." and so on.

Anyway, I will wait for You while You will be trying to make this more specific, less sensitive etc. Thanks for noticing the second question. It seems, that if NoScript is really adding one word, then removing it should solved this issue.

Thanks, best regards.

[Giorgio Maone]

Always word is very important here, in such situation, because it means to always allow such requests, right?

Yes, my bad, I did paraphrase "Always allow document requests etc." into "Allow all document requests etc.", even though I'm not sure the difference in meaning is that much.

[fenix]

Hello.

Okay, I understand. However, according to your words: "I'm not sure the difference in meaning is that much" - I think the difference in meaning is important because if User will trust some website, let say example.com and he will choose "Always allow document..." in XSS Warning window during viewing/surfing on such a website and - in the meantime - website gets hacked and will be vulnerable e.g. to XSS attacks etc., then always allowing document requests (choosing by an User earlier) from example.com seems to be not secure.

But maybe I'm wrong and I don't understand this. Anyway, NoScript will remember User choice, right? And that's is the reason why "Clear XSS Choices" is available via Advanced tab?

No matter what, I will wait for You and your work on this issue :- )

Thanks, best regards.

[Giorgio Maone]

. Anyway, NoScript will remember User choice, right? And that's is the reason why "Clear XSS Choices" is available via Advanced tab?

Exactly.

[fenix]

Hello.

So, maybe there should be an option to "Allow allow document requests..." instead of "Always allow document requests..."? I'm thinking about reasons mentioned in my previous post: if User will always allow requests and, in the meantime, website gets hacked there could be problems on User next visit etc. But maybe I'm wrong. Anyway, there can be also an option to "Remember" User choice available in XSS Warning window. For example:

Code: Select all

NoScript XSS Warning

[...]

          (o) Block this request
          (  ) Block document requests from https://lwn.net to https://git.ghostscript.com
          (  ) Allow this request
          (  ) Allow document requests from https://lwn.net to https://git.ghostscript.com

          (x) Remember my choice      [ OK ]

Above in an example of NoScript XSS Warning window with an option to remember User setting for website with a potential Cross-Site Scripting attack etc. Personally, I would like to have a choice to not always allow requests from websites. Just as it's in above example.

Thanks, best regards.

[fenix]

I'm sorry for writing post by post.

I just want to write, that "Remember my choice" (or there can be "setting" etc.) is for User who want to always allow request from a website and for User who don't. Of course, it shouldn't be checked by default. If User will decide, that he trust website and always want a requests then he can use this option. And now, User have a choice.

I think such an option, could give User more - let say - control over similar requests and situations etc. Always allowing, give no such a choice and control. But that's just my opinion.

Thanks.