RequestWatchdog.js hangs (trusted -> trusted)

[skl]

Hello,

The following, really annoying behavior, is shown by NoScript (at least here):

1. On a fresh session, go to the site https://testsp2.aai.dfn.de/
2. Mark dfn.de as trusted (trust me, they can be trusted ...)
3. Choose one of the "Shibboleth-geschützte Seiten"
4. On the wayf-Server, choose "DFN Test-IdP 2.x"
5. On the following site, enter staffuser/staffuser as username/password

After hitting the login button, Firefox hangs and a message box appears reporting the non-responding script.

This beavior is reproducible on different machines, also on fresh setups.

A second issue that appears after fiddling with this first problem, is the false positive XSS-alarm, if I trust the SP-site, but not the IdP.


Regards

skl

[Giorgio Maone]

For the "unresponsive issue", please check latest development build 1.9.8.89.
Regarding the XSS warning, could you post here the exact message you get logged as a [NoScript XSS] line in Tools|Error Console?

[skl]

Hello,

thank you for this immediate response, and much better, this immediate solution.

To my second problem: I don't know if this behavior is intended, but using the scenario as above, but now only trusting the site https://testsp2.aai.dfn.de I get the following error (in german):

[NoScript XSS] Ein verdächtiger Upload zu [https://testsp2.aai.dfn.de/Shibboleth.sso/SAML2/POST] von [https://testidp2.aai.dfn.de/idp/Authn/UserPassword] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.

If I don't trust the SP, either, everything works fine (no XSS-warning). As far as I understand it, NoScript wants to block the injection of js-Code, but the base64-encoded string only contains the SAML-response.

Regards

skl

[Giorgio Maone]

Do you mean that it happens only if the destination is trusted but the origin is not?
Then it's by design: all the POST requests from untrusted to trusted are blocked, no matter the payload, as an additional anti-CSRF countermeasure provided by the XSS filter.