[RESOLVED] google finance xss warning

[marlow]

I see an alert from noscript whenever I view a stock chart page in google finance.
An example of the message in the error console:

[NoScript XSS] Sanitized suspicious request. Original URL [http://ad-g.doubleclick.net/adi/com.gf. ... google.com] requested from [http://www.google.com/finance?q=NASDAQ:AAPL]. Sanitized URL: [http://ad-g.doubleclick.net/adi/com.gf. ... 9999999999].


I guess this means that though I'm viewing http://www.google.com/finance_bla_bla noscript is telling me that info is really being sent to/received from ad-g.doubleclick.net_bla_bla

This occurs with noscript 1.9.9.42 and has occurred in the last few versions.
My questions are:
1. Seems odd to me that a warning shows up since my hosts file redirects ad-g.doubleclick.net to 127.0.0.1 anyways. Could this trigger the warning or is it irrelevant to noscript?
2. Google finance is a major site and we know that many sites use doubleclick and try to load in advertising or tracking and it is not necessarily malicious, just annoying--so might this be something that can be cleared up in a noscript update?
3. Or should it be handled on a user basis with an exception? I am a newbie here, but I had a go: adding a noscript "Anti-XSS Exception" of
^http://www.google.com/finance.... didn't help, but specifying this
^http://ad-g.doubleclick.net
does stop the warning messages. Is that a sensible regex exception to use?
I actually hate to grant an exception to anything named "doubleclick" since I'm not fond of lots of tracking.

Thank you.
marlow

[Giorgio Maone]

1. Seems odd to me that a warning shows up since my hosts file redirects ad-g.doubleclick.net to 127.0.0.1 anyways. Could this trigger the warning or is it irrelevant to noscript?

XSS checks are performed before DNS resolution, therefore there's no way for NoScript to tell ad-g.doubleclick.net gores to 127.0.0.1

2. Google finance is a major site and we know that many sites use doubleclick and try to load in advertising or tracking and it is not necessarily malicious, just annoying--so might this be something that can be cleared up in a noscript update?

Maybe, but not sure. The problem is not doubleclick being malicious or less, but that specific URL containing a pattern which matches with a non-trivial JavaScript fragment, hinting at a cross-site scripting attack. In this case it's a false positive, but not that easy to tell.

I actually hate to grant an exception to anything named "doubleclick" since I'm not fond of lots of tracking.

In fact, you won't get any XSS warning anymore as soon as you just forbid doubleclick.net. Why do you have it allowed?

[marlow]

Thanks much for the helpful reply. I now understand better how & where noscript gets involved in the process.

I use noscript very much without being an expert in its features.

In fact, you won't get any XSS warning anymore as soon as you just forbid doubleclick.net. Why do you have it allowed?

I need to spend more time studying the documentation, cause it is not obvious to me how I can simply "forbid doubleclick.net." Even after searching thru the faqs, docs and forums.
On the page where I get the XSS warning, if I click on the noscript icon, I get an option to "forbid google.com" which I don't want to do. I also see the option to mark "about:neterror as untrusted," but that doesn't seem to be what I want either.

In the options dialogues, I see where to enter sites in the "whitelist" but don't see any to set a "blacklist." I see in the noscript documentation

If you know you don't want to allow a certain site now and in the foreseeable future, you can permanently mark it as untrusted: just click the NoScript icon, open the Untrusted menu and select the Mark bad-site.com as Untrusted menu item.

but --and this sounds dumb I know-- I don't see precisely how to "open the Untrusted menu"
There must be some menu option or keystroke I'm not noticing

marlow

[Giorgio Maone]

You're getting "about:neterror" rather than "doubleclick.net" because of your host file breaking the load.
Until you keep this configuration, the XSS exception is the way to go.
Anyway, did "Allow script globally", perhaps? Otherwise, doubleclick.net would be already forbidden.

[marlow]

You're correct about "Scripts Globally Allowed" Giorgio.
Changing some options I did just notice that the xss warnings on the page are being shown iff I have
"Scripts Globally Allowed." When I unchecked this, the XSS warning on the page no longer appears -- even without my adding the anti-xss protection exception: ^http://ad-g.doubleclick.net .

In other words, I guess doubleclick.net is automatically "forbidden" because it is not included in the noscript Whitelist, but when I specified "Scripts Globally Allowed" I disabled this blocking.

I had had "Scripts Globally Allowed" specified for some time, having some difficulty or other a while back. I set it this way when I was on a page other than google.com/finance and it is likely that this is when I began to generate the xss warnings--and I didn't guess this was the cause.

This has been a helpful discussion for me.
Thanks again very much.
I think we can consider this problem/question solved!