XSS - ebay - new delivery manager

[STB2008]

When I try to use the new delivery manager in ebay, I got the following error messages:

[NoScript] Blocking cross site Javascript served from https://securepics.ebaystatic.com/aw/pi ... -1_2_6.txt with wrong type info text/plain and included by https://versand.ebay.de/druck/plp/data/vp_choose

I already tried with these

regexp
[.]*ebay.de[.]*
[.]*securepics.ebaystatic.com[.]*

to to get everything from ebay without XSS-blocking, but it does not work even disabling XSS does not work. Only disabling noscript in Firefox.

Thanx
Stephan

[Tom T.]

Saw this post was four weeks old, and unanswered. Are you still here, and do you still have the problem?

If so, please update to the latest version of NoScript, and if the issue persists, let us know.

I'm sorry that this slipped through the cracks.

[SmallAl]

Saw this post was four weeks old, and unanswered. Are you still here, and do you still have the problem?

If so, please update to the latest version of NoScript, and if the issue persists, let us know.

I'm sorry that this slipped through the cracks.

Yes it is still actual - last "working" Version was 1.9.5 - beginning with 1.9.6.8 it is blanked ...

[Giorgio Maone]

Please check latest development build 1.9.9.16.

[henry]

The ebay new delivery manager still does not work when noscript is enabled.

[MafiaWarsAddict]

I am having the same issue trying to use bookmarklets with mafiawars on facebook.

Error that I get is the following.

Code: Select all

[NoScript] Blocking cross site Javascript served from http://arun-nav.yolasite.com/resources/Racketeer.txt?0.5979023623252397 with wrong type info text/plain and included by http://mwfb.zynga.com/mwfb/remote/html_server.php?xw_controller=racket&xw_action=view&xw_city=&tmp=c5ac0f9813557d81c03661c318b81717&cb=0&skip_req_frame=1&sf_xw_user_id=100000362232653&sf_xw_sig=70ed54b54c1fb39a143169c4c1d8fe2d

[Giorgio Maone]

Which bookmarklet, exactly?

[MafiaWarsAddict]

Its one written by a friend on the Top Mafia Diasbled site. Called the Racketeer. Used so you don't have to monitor your rackets. Right now it only does truckers, but those are the most important. Basically just keeps an eye on rackets page, collects ready rackets and shakes down truckers.

FF is latest and just updated noscript to 1.9.9.30

In talking to the dev, I asked him if it was a content-type issue as he is trying to send .txt, but his host won't let him send .js w/o a premium membership which he wants to avoid.

[Giorgio Maone]

In talking to the dev, I asked him if it was a content-type issue as he is trying to send .txt, but his host won't let him send .js w/o a premium membership which he wants to avoid.

It's a content type issue, indeed: NoScript checks if 3rd party scripts are served with the correct mimetype (i.e. text/javascript or application/x-javascript), in order to prevent abuse of services (like Google) which allow uploading of textual resources.
The best, safest and most compatible option would be serving the script with the correct mimetype, but since he already said he won't, you can work-around by adding "http://arun-nav.yolasite.com/resources/Racketeer.txt?*" (without quotes) to the noscript.inclusionTypeChecking.exceptions about:config preference.

[MafiaWarsAddict]

Worked like a champ. Thanks.

[DAC324]

The ebay new delivery manager still does not work when noscript is enabled.

Confirmed here. I even added an exception for https://securepics.ebaystatic.com/* in noscript.inclusionTypeChecking.exceptions in about:config, but that did not help either. The error message in the console is gone but NoScript still blocks the delivery manager.

Kind regards,
DAC324