FireFox + NS + Google "Note in Reader" = XSS problem

[msemtd]

Hi, please excuse my lack of experience with NoScript - I'm a casual user rather than a web hacker.

I'm having some trouble with one of my favourite browser features, a "Note in Reader" bookmarklet that takes the selected text and adds it to my Google Reader page. When I use it on some pages I get a NS XSS blocked warning, no information is saved and the browser history on that tab is lost.

My NoScript version is 2.0.1 and the bookmarklet reads as follows: -

Code: Select all

javascript:var%20b=document.body;var%20GR________bookmarklet_domain='https://www.google.com';if(b&&!document.xmlVersion){void(z=document.createElement('script'));void(z.src='https://www.google.com/reader/ui/link-bookmarklet.js');void(b.appendChild(z));}else{}

I can fully understand that NS believes that something dodgy is afoot: there's a selection being passed to another site - fair enough!

I tried altering an existing Anti-XSS regex thus: -

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|reader\1)\?

No joy
Google Reader and NoScript are both great features of my browsing experience -- How can I get the two great features to play nicely together?

[Giorgio Maone]

The following line added in the exceptions box should do:

Code: Select all

^http://www\.google\.com/reader/link-frame

If it doesn't, please show me the [NoScript XSS] line(s) you should get in Tools|Error Console (Messages subsection) when this happens.

[msemtd]

That seems to have done the trick - many thanks

Works fine for my problem sites although the "close this" link in the reader frame/div is not clickable for some reason! (Can't remember if it used to work previously -- I've also updated my bookmarklet to the latest from the Google Reader front end) Does anyone else have this issue?

[Antipop]

the "close this" link in the reader frame/div is not clickable for some reason!

It is not clickable on untrusted sites, because Google's script (even if Google is whitelisted) is loaded through the said untrusted site and therefore blocked - at least NoScript treats it that way.
While it is good usually, I'd really love a way to make exceptions for such issues like "Note in Reader" feature.
Temporarily allowing each site on which I want to send a GR's note would be quite a pain in the ass... Not to say dangerous... We need a way to enable google's script https://www.google.com/reader/ui/link-bookmarklet.js to be loaded on http://www.badsite.com. Any solutions?

[Giorgio Maone]

Temporarily allowing each site on which I want to send a GR's note would be quite a pain in the ass... Not to say dangerous... We need a way to enable google's script https://www.google.com/reader/ui/link-bookmarklet.js to be loaded on http://www.badsite.com. Any solutions?

Unfortunately even if the 3rd party script got to load (and it doesn't), it wouldn't run because the JS engine is off for the hosting page.