Wrong(?) XSS Detection with Drag & DropZones and HTTP Post

[nononon]

Hello,
I use Firefox 3.6.15 on Windows XP
Some of my Add-ons:
Drag & DropZones 1.5 (https://addons.mozilla.org/en-us/firefo ... dropzones/)
NoScript 2.0.9.9
ABP
RequestPolicy

Since the latest update of NoScript I get a warning of a XSS attempt, when I use the D&D Zones extension to search from a site, for instance:
.

This only happens when I use search engines with the HTTP POST method.

So my question is this intended?

Thanks.

[nononon]

Any clues anyone?

[Giorgio Maone]

Can I see the [NoScript XSS] messages you should get in Tools|Error Console?

[nononon]

Can I see the [NoScript XSS] messages you should get in Tools|Error Console?

Code: Select all

[NoScript XSS] Ein verdächtiger Upload zu [http://www.scroogle.org/cgi-bin/nbbw.cgi] von [http://forums.informaction.com/viewtopic.php?f=7&t=6076] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.

Also I just noticed this happens only if javascript is forbidden. If I allow informaction.com I don't get this error.

[Giorgio Maone]

That's normal, as NoScript sanitizes any POST request originating from non-whitelisted sites as a CSRF countermeasure.

You can work around by adding the following line to NoScript Options|Advanced|XSS exceptions:

Code: Select all

^@http://www\.scroogle\.org/cgi-bin/nbbw\.cgi$

I cannot see any valid reason to send a search request via POST, though.