Bug report: NoScript 1.9.9.63 XSS error with Google Maps

[rickmastfan67]

Windows 7 x64
Firefox 3.6.3
NoScript 1.9.9.63

Alright, I've been submitting error reports to Google Maps when they have something wrong. And once they correct them, they send me a message back with a link to the area that I reported that was wrong. Now, most of the time, the link in that e-mail saying it's been fixed works fine. However, sometimes NoScript doesn't like those links and pops up a "XSS" error message and breaks the page.

Here's the error:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://maps.google.com/?ie=UTF8&ll=40.430991%2C-80.026335&spn=0.001505%2C0.003484&z=19&skstate=action:update$fid:4545264270379343475$location:40.43096%2C-80.02586$issue_class:rmi.street$description:This%20%22ramp%22%20is%20really%20still%20part%20of%20I-376%20at%20this%20point.%20%20At%20the%20point%20of%20this%20report%20is%20where%20it%20truly%20leaves%20I-376%20as%20exit%20%2369C.%20%20The%20location%20of%20the%20ramp%20leaving%20can%20be%20verified%20via%20the%20Satellite%20view.%20%20The%20other%20ramp%20to%20Saw%20Mill%20Run%20Blvd%20from%20I-376%20EB%20is%20Exit%20%2369B.] requested from [moz-nullprincipal:{be0d8ae0-53a4-43d2-bfb0-323c52a5047a}]. Sanitized URL: [http://maps.google.com/?ie=UTF8&ll=40.430991%2C-80.026335&spn=0.001505%2C0.003484&z=19&skstate=action%20update%24fid%3A4545264270379343475%24location%3A40.43096%20-80.02586%24issue_class%3Armi.street%24description%3AThis%20%22ramp%22%20is%20really%20still%20part%20of%20I-376%20at%20this%20point.%20%20At%20the%20point%20of%20this%20report%20is%20where%20it%20truly%20leaves%20I-376%20as%20exit%20%2069C.%20%20The%20location%20of%20the%20ramp%20leaving%20can%20be%20verified%20via%20the%20Satellite%20view.%20%20The%20other%20ramp%20to%20Saw%20Mill%20Run%20Blvd%20from%20I-376%20EB%20is%20Exit%20%2069B.#00897302285093137826].

It seems it doesn't like the "." at the end of the report's original URL (Please nobody attempt to update that report, I've already submitted info about the missing exit numbers in a separate report and they already said I was right, so that should be fixed soon) when clicking on the link inside of my e-mail (GMail account). Because when I right click and copy the URL and then paste it into a New Tab in FF, it works just fine with no XSS message.

[Giorgio Maone]

It seems some weird encoding issue. Investigating, thanks.

[Giorgio Maone]

OK, I finally understood what's going on.
You get the XSS warning if you navigate that URL from GMail because it uses a <META> redirection to hide the origin.
Unfortunately there's currently no work-around.
It will be fixed in a future NoScript version, when unknown and untrusted origins will be treated like trusted ones (i.e. using the InjectionChecker, rather than the "nuke all" policy which is currently applied).

[rickmastfan67]

Thanks. Really appreciate it. Can't wait for the fix.

[rickmastfan67]

Just was curious, is there any new update on this?

[Giorgio Maone]

It will go directly in next release.

[rickmastfan67]

Next release as is 2.0 or 1.10.*?

[Giorgio Maone]

Next release as is 2.0 or 1.10.*?

2.0

[rickmastfan67]

Alright, just was wondering.

[Giorgio Maone]

Done in latest development build.