No Script blocking when it shouldn't be

[smtips]

NoScript has treated me well until recently. I cannot get a video on my site to load as soon as I enable NoScript even though I allowed EVERYTHING, the domain is whitelisted, the video comes up in a gray box and refuses to play. As soon as I disable NoScript it works fine. I'm stumped as to why this is. It is DEFINITELY Noscript causing this not another addon because I have tried this with a completely new install of FF and Noscript as the only addon.

It happens when clicking on the QuickTour Product Overview button on the below page. It should simply pop up a video and play it and it does not. Any help would be appreciated. Because if it's not working with no script, I could lose business.

The maker of this addon needs to let me know about this.

The page is

http://www.securepaynet.net/ecommerce/s ... stInternet

[Alan Baxter]

Confirmed in NS 2.0.1rc2.
The Error Console shows NoScript doing some XSS sanitizing which seems to prevent the video from playing. The maker of this addon may be able to modify NoScript or suggest a change you can make on your end. We'll have to wait until Giorgio logs in again.

[Giorgio Maone]

Unfortunately that site is sending out an URL containing what it seems a <video> HTML element, which is considered full-fledged cross-site scripting.
I can see the potential for a work-around in next NoScript version, but in the meanwhile you can access the video by adding the following line to your NoScript Options|Advanced|XSS exceptions:

Code: Select all

^http://img1\.wsimg\.com/gdtv/swf/apiplayeras2_2\.swf\?

[al_9x]

Is there an issue here with the logging? the formatting of the reason string?

[therube]

Code: Select all

[NoScript XSS] xss.reason.http://img1.wsimg.com/gdtv/swf/apiplayeras2_2.swf?mediaID=undefined&myXML=%3Cvideo%3E%3Cinfo%20vTitle%3D%22Quick%20Shopping%20Cart%20Product%20Overview%22%20vURL%3D%22http%3A//video.securepaynet.net/ProductDemo_QuickShoppingCart_Reseller_640x360_large.flv%22%20vClick%3D%22QSCProductOverview%22%3EInfo%3C/info%3E%3C/video%3E

[Giorgio Maone]

Is there an issue here with the logging? the formatting of the reason string?

Yes there is and I'm investigating that.

[Giorgio Maone]

Fixed in latest development build (the <video> with no attributes false positive).
Regarding the "strange" message, it is due to the request triggering the filter not be bound to a HTML document, but to a Flash movie, therefore some stuff normally expected to be retrievable cannot be fetched.
I've been tempted to skip the checks for plugin content, but then I resolved myself to keep the checks since a Flash movie, for instance, could have been coded to cal GetURL() on a query string parameter, therefore becoming a 2nd order XSS vector, and therefore the InjectionChecker pass is beneficial.