XSS denial; after "top level...trusted", and "cascading", blank page

[rlaggren]

I've used Noscript for many years. Normally set top level trusted and cascading. I have just seen behavior I did not expect, the first time ever for Noscript.

New install, led to some Noscript settings needing to be re-upped. But I don't think that actually relates. Just info. The _only_ Noscript setting I ever change are to set "top site trusted" and "cascading".

At the time, been "surfing" for hours, dozens other sites no problem. Then this baby produces behavior I have never seen before. It's a link from a google search in which all others in the list that I visited work fine.

https://www.google.com/url?sa=t&rct=j&q ... MgXN1M71-w

Started out with the big "fanged denial". I checked the Noscript options and made sure "top level trusted" and "cascade" were enabled. Truth tell, I don't for sure remember if they had already been set or not - I think not. However, next reload of the problem link, the "fanged denial" did not appear and all I get is a blank page. Checking Nocript again, I see that both "www.advisor..." and "advisor..." sites were set "Default". I would expect both to be set "Temp trusted".

I don't need this site much at the moment, so I'm just moving on (and not manually changing to "trusted" the settings Noscript assigns to this link which were "Default").

But this Noscript behavior is more important. It's not acting as I would expect. What's going on with this link?



Thanks for any info.
Rufus

Ah. To add:

Opensuse 15.1 64bit
Firefox 68.7
Noscripot 11.0.24

[barbaz]

I was able to reproduce the XSS warning -

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://www.google.com.

Suspicious data:

Error: Timeout! DOS attack attempt?,(URL) https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&cad=rja&uact=8&ved=2ahUKEwiA-b3rhvXoAhWLKs0KHf0WBhkQFjAGegQIMRAB&url=https://www.admin-magazine.com/index.php/Articles/Backups-using-rdiff-backup-and-rsnapshot/(offset)/3&usg=AOvVaw3owc-k9CDDI4MgXN1M71-w

I'm also seeing this in Browser Console -

Code: Select all

DataCloneError: The object could not be cloned. InjectionCheckWorker.js:77

Trying to navigate directly to https://www.admin-magazine.com/index.ph ... (offset)/3 produces the same result -

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://www.admin-magazine.com.

Suspicious data:

Error: Timeout! DOS attack attempt?,(URL) https://www.admin-magazine.com/index.php/Articles/Backups-using-rdiff-backup-and-rsnapshot/(offset)/3

I think this is a false positive, i.e. no actual XSS here.

Looks like the XSS warning might not trigger if you go to https://www.admin-magazine.com/index.ph ... -rsnapshot and click the link from there to the page you're interested in.

[barbaz]

Started out with the big "fanged denial". I checked the Noscript options and made sure "top level trusted" and "cascade" were enabled. Truth tell, I don't for sure remember if they had already been set or not - I think not. However, next reload of the problem link, the "fanged denial" did not appear and all I get is a blank page. Checking Nocript again, I see that both "www.advisor..." and "advisor..." sites were set "Default". I would expect both to be set "Temp trusted".

What did you do with the XSS dialog "fanged denial"?

[rlaggren]

> ...do with xss denial...

I clicked "ok" to deny. As it happens the above report is slightly wrong: The XSS denials did continue to pop up, but they did not display "on top" and thus I did not realize they had displayed. Only the first one displayed on top. I found 3 or 4 of them (tried the site various times) as separate windows when I opened the "stacked" panel icon looking for something else; I just clicked through "ok" to close the orphaned windows. This was after I had closed the offending tab.

Allowing for a false positive with the XSS criteria for whatever reason, why doesn't the top level site get set "temp trusted" and then cascade?


Thanks for your attention.
Rufus

[Giorgio Maone]

Fixed in latest dev build, thanks.

v 11.0.25rc1
============================================================
x [XSS] Fixed false positives and timeouts (thanks riaggren
for report)

[barbaz]

11.0.25rc1 looks good here

Two things -

1) The 11.0.25rc1 commits exist in https://github.com/hackademix/noscript, but are not showing up in master branch?

2) Is "uiid" meant to be "uuid"?

[Giorgio Maone]

11.0.25rc1 looks good here
1) The 11.0.25rc1 commits exist in https://github.com/hackademix/noscript, but are not showing up in master branch?

Fixed, thanks.

2) Is "uiid" meant to be "uuid"?

Yes, but that line wasn't even supposed to go in that commit. It was part of another development thread just began (hence no error possible yet to signal the typo) which got committed by accident.

[rlaggren]

Thanks for the instant response. I am very glad to find a product like yours available to the "man in the street".

Hope all well with you folks.


Regards,
Rufus