XSS on blogspot/blogger

Ask for help about NoScript, no registration needed to post
Post Reply
eckstee

XSS on blogspot/blogger

Post by eckstee »

Blogger has a new layout editor where you can see your changes live before you save them, and NoScript blocks an XSS request every time I go into it. With the request blocked, the editor doesn't work (my blog doesn't show in the lower pane), and upon doing an unsafe reload, everything works as expected.

I suspect this is because they use two domains, blogspot.com and blogger.com. I've already had third-party cookie issues because of this.

Adding the following line to the XSS exceptions list fixes the issue:

Code: Select all

^https?://[^\.]+\.blogspot\.com/b/preview
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9524
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: XSS on blogspot/blogger

Post by Giorgio Maone »

Could you please show me the [NoScript XSS] line(s) you get in Tools|Error Console, so I can see if a more restrictive exception (or a different work-around) can be wired in next NoScript version?
Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Top
Post Reply

Return to “NoScript Support”