XSS is being overly blocked, FAQ gives outdated info on fixing it

Ask for help about NoScript, no registration needed to post
LockeZ
Posts: 2
Joined: Sat Jul 25, 2020 11:37 am

XSS is being overly blocked, FAQ gives outdated info on fixing it

Post by LockeZ » Sat Jul 25, 2020 11:51 am

So I'm trying to get embedded twitter videos to work on the web-based version of discord. Currently, when I click them, instead of playing the video, the entire embedded object just vanishes. I assume this is an XSS issue, since I have discord.com, twitter.com, and every other page that shows up in Noscript whitelisted. Cross-site embedded content on many other websites, especially movies, also fails to function.

I'm trying to go through the steps listed in the official Noscript FAQ and it says:
4.4
Q: Can I bypass Anti-XSS filters for certain web pages?
A: If you're a bit of the "geek" type, you know regular expressions and you're very confident the target web page is immune to XSS vulnerabilities, you can tweak the NoScript Options|Advanced|XSS|Anti-XSS Protection Exceptions rules, i.e. a list of regular expressions (one on each line) used to identify web addresses which you deem do not need to be protected against XSS.
4.5
Q: Can I turn off the Anti-XSS protection?
A: Even if it's not recommended for daily usage, temporarily disabling the Anti-XSS protection may be useful, e.g. for testing purposes if you're a security researcher hunting for XSS vulnerabilities. To do that, you just need to open NoScript Options|Advanced and toggle the cross-site restrictions preferences.
But of course, in the current version of Noscript, there are no XSS options listed under Options|Advanced except for "Sanitize cross-site suspicious requests" and a button to clear all my XSS blacklisted/whitelisted sites. There certainly isn't an entire XSS sub-menu. As far as I can tell there is no way to disable Noscript's XSS filtering, either per-site or at all, except to completely disable Noscript. The FAQ and Features pages also mention some about:config preferences that can be edited to mess with XSS settings, but the current version of Noscript doesn't have any about:config preferences. Searching for "noscript" in about:config yields zero results.

So how do I get this kind of cross-site content working in the current version of Noscript? And also, is the developer likely to see this post and update the FAQ and Features pages, or should I file a bug report somewhere about the outdated website info?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 9584
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS is being overly blocked, FAQ gives outdated info on fixing it

Post by barbaz » Sat Jul 25, 2020 12:28 pm

If the problem were possible XSS, NoScript would be prompting you asking what to do, unless you made a previous explicit choice to always block or always allow.

Does it work if you "Disable restrictions for this tab" in NoScript?
LockeZ wrote:
Sat Jul 25, 2020 11:51 am
also, is the developer likely to see this post and update the FAQ and Features pages, or should I file a bug report somewhere about the outdated website info?
That FAQ is for NoScript Classic. New documentation needs to be written for NoScript Webext. The developer is well aware of this.
*Always* check the changelogs BEFORE updating that important software!
-

LockeZ
Posts: 2
Joined: Sat Jul 25, 2020 11:37 am

Re: XSS is being overly blocked, FAQ gives outdated info on fixing it

Post by LockeZ » Sat Jul 25, 2020 7:21 pm

It's possible I did, but if so I don't know where to see that list. There's a button to clear all XSS choices, but since it includes many years worth of manual entries I'd rather not do that. Can the list be viewed/edited somehow? The per-site permissions tab in my Noscript options is grayed out and can't be clicked on.

Disabling restrictions on this tab seems to allow these websites to work, just like disabling restrictions globally does.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

barbaz
Senior Member
Posts: 9584
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS is being overly blocked, FAQ gives outdated info on fixing it

Post by barbaz » Sat Jul 25, 2020 11:44 pm

LockeZ wrote:
Sat Jul 25, 2020 7:21 pm
There's a button to clear all XSS choices, but since it includes many years worth of manual entries I'd rather not do that. Can the list be viewed/edited somehow?
Not easily, but yes - viewtopic.php?f=7&t=25882
LockeZ wrote:
Sat Jul 25, 2020 7:21 pm
The per-site permissions tab in my Noscript options is grayed out and can't be clicked on.
That happens when you have Disable restrictions globally
LockeZ wrote:
Sat Jul 25, 2020 7:21 pm
Disabling restrictions on this tab seems to allow these websites to work,
How have you configured your Trusted preset? (NoScript Options > General > TRUSTED)
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply