Hi forum friends,
I went here: http://popwatch.ew.com/2009/10/14/john- ... nniversar/
I saw this in the error console:
Error: [Exception... "'NoScript aborted redirection to http://img2-short.timeinc.net/ew/static ... .js?ver=MU' when calling method: [nsIChannelEventSink::onChannelRedirect]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]
====================
[NoScript] Potential cross-site E4X hijacking detected and blocked (http://www.ew.com/ew/js/main/0,,,00.js?ver=MU)
The site, that one at popwatch gives me a ghostery alert for 6 trackers, yes 6...
AddThis
QuantCast
Quigo AdSonar
Revenue Science
Tacoda
Wordpress Stats
RequestPolicy report a secret link from Wordpress.com to TimeInc.net
Just was curious enough to look under the hood, found this as background info:
http://www.thespanner.co.uk/2009/02/24/ ... hijacking/
luntrus
What is a cross-site E4X hijacking attack?
What is a cross-site E4X hijacking attack?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: What is a cross-site E4X hijacking attack?
E4X support may theoretically be exploited to read the content of XHTML documents cross-domain by using a <script> element, violating the same domain policy.
Thereofore NoScript blocks any markup document being loaded as a script.
In this case, though, this feature has been triggered because the original script request has been redirected using a non-empty XHTML response, instead of just the header.
This is not a correct behavior by the server, IMHO, however I'm changing hijack checks to work on final non-error responses only (i.e. 2xx status codes), rather than trigger on error or redirection pages like in this case.
Thereofore NoScript blocks any markup document being loaded as a script.
In this case, though, this feature has been triggered because the original script request has been redirected using a non-empty XHTML response, instead of just the header.
This is not a correct behavior by the server, IMHO, however I'm changing hijack checks to work on final non-error responses only (i.e. 2xx status codes), rather than trigger on error or redirection pages like in this case.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)