[Fixed] 11.0.14rc1 Strange XSS warning on youtube

Bug reports and enhancement requests
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

[Fixed] 11.0.14rc1 Strange XSS warning on youtube

Post by barbaz »

Had a Youtube video playing in a background instance of Firefox 73.0.1, and this message popped up out of nowhere -

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from https://www.youtube.com to https://accounts.google.com.

Suspicious data:

Error: Timeout! DOS attack attempt?,(URL) https://accounts.google.com/ServiceLogin?continue=https://www.youtube.com/signin?next=%2Fsignin_passive&action_handle_signin=true&feature=passive&hl=en&app=desktop&passive=true&uilel=3&hl=en&service=youtube
I just hit the "X" in the OS window controls. This is likely a false positive, and I block that request elsewhere anyway.

This seems to happen on every Youtube video.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone »

Are you signed it in your Google account while browsing Youtube?
Does it happen also on a clean profile without any other extension?
Thanks!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone »

Nevermind, I can see what it's happening. Gonna fix it in next relase, thanks!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone »

Giorgio Maone wrote: Sun Mar 01, 2020 6:34 am Are you signed it in your Google account while browsing Youtube?
Does it happen also on a clean profile without any other extension?
Thanks!
On a second thought, since there are at least two causes I can imagine for this to happen with different (and possibly quite difficult) solutions, could you please answer those two answers anyway?
Thank you.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by barbaz »

Giorgio Maone wrote: Sun Mar 01, 2020 6:34 am Are you signed it in your Google account while browsing Youtube?
no
Giorgio Maone wrote: Sun Mar 01, 2020 6:34 am Does it happen also on a clean profile without any other extension?
It doesn't seem to. But it does happen if I also install uBlock Origin and add a custom filter that blocks that google frame.

EDIT
The following STR should get it consistently starting from clean profile:

1) install uBlock Origin from AMO, install NoScript 11.0.14rc1

2) uBlock Origin > Dashboard, check 'I am an advanced user'

3) in uBlock Origin advanced settings, set "cnameUncloak" to false

4) add this custom filter to uBlock Origin -

Code: Select all

||google.com^$domain=youtube.com
5) visit a youtube video page and play the video, put Firefox window in background, and wait.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone »

Please check latest dev build, thanks.
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by barbaz »

That looks to have fixed it. Thanks Giorgio! Image
Giorgio Maone wrote: Sun Mar 01, 2020 9:32 pm x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
(I'm not therube. :P )
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: 11.0.14rc1 Strange XSS warning on youtube

Post by Giorgio Maone »

barbaz wrote: Sun Mar 01, 2020 9:47 pm
(I'm not therube. :P )
Sooo sorry, gonna fix it in stable release :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Post Reply