XSS identified in Google Chat with NS 2.1.0.6rc5

Bug reports and enhancement requests
Post Reply
stephenjpc
Posts: 4
Joined: Fri Feb 04, 2011 10:58 am

XSS identified in Google Chat with NS 2.1.0.6rc5

Post by stephenjpc »

I use Firefox 4.0.1 synced across 3 PCs (2 with XP Pro, 1 Win 7 64). iGoogle is my homepage. These have just updated my NoScript to 2.1.0.6rc5, and now I am getting an XSS warning with the iGoogle page that was not occurring ahead of the update, and the Google Chat feature is being blocked. Reverting to the latest stable build resolves the problem so I presume this is a bug that will need ironing.

If it assists, this is the message showing up in my Console, with minor edits to (hopefully) protect my identity:

Code: Select all

[NoScript XSS] Sanitised suspicious request.
Original URL [http://talkgadget.google.com/talkgadget/notifierclient?client=sm&prop=iGoogle&nav=true&fid=gtn-roster-iframe-id&ts=0&debug=undefined&os=Win32&stime=13954686665&fb=false&re=true&no=undefined&hc=true&ref=false&xpc=%7B%22cn%22%3A%22o643m%22%2C%22tp%22%3A1%2C%22ifrid%22%3A%22gtn-roster-iframe-id%22%2C%22pu%22%3A%22http%3A%2F%2Ftalkgadget.google.com%2Ftalkgadget%2F%22%2C%22lpu%22%3A%22http%3A%2F%2Fwww.google.co.uk%2Frobots.txt%22%2C%22ppu%22%3A%22http%3A%2F%2Ftalkgadget.google.com%2Frobots.txt%22%7D&pvt=undefined&href=http%3A%2F%2Fwww.google.co.uk%2Fig%23t_0%3Frel%3D1&css=http%3A%2F%2Figoogle-skins.googleusercontent.com%2Fig%2Fskin_xml_to_css%3Fv2%3D1%26url%3Dhttp%253A%252F%252Fwww.google.com%252Fig%252Fmodules%252Fapiskins%252Fteahouse.xml%26skindx%3Dix%3A8%26hl%3Den%26fp%3DDNtYX5r8HII&hl=en&uj=stephen%40gmail.com&vp=http%3A%2F%2Fwww.google.co.uk%2Fig%2Ftalk_xpc_blank.html&host=1&zx=g7ysernshr3a] requested from [http://www.google.co.uk/ig].
Sanitised URL: [http://talkgadget.google.com/talkgadget/notifierclient?client=sm&prop=iGoogle&nav=true&fid=gtn-roster-iframe-id&ts=0&debug=undefined&os=Win32&stime=13954686665&fb=false&re=true&no=undefined&hc=true&ref=false&xpc=%7B%20cn%20%3A%20o643m%20%2C%20tp%20%3A1%2C%20ifrid%20%3A%20gtn-roster-iframe-id%20%2C%20pu%20%3A%20http%3A%2F%2Ftalkgadget.google.com%2Ftalkgadget%2F%20%2C%20lpu%20%3A%20http%3A%2F%2Fwww.google.co.uk%2Frobots.txt%20%2C%20ppu%20%3A%20http%3A%2F%2Ftalkgadget.google.com%2Frobots.txt%20%7D&pvt=undefined&href=http%3A%2F%2Fwww.google.co.uk%2Fig%23102787499062865405&css=http%3A%2F%2Figoogle-skins.googleusercontent.com%2Fig%2Fskin_xml_to_css%3Fv2%3D1%26url%3Dhttp%253A%252F%252Fwww.google.com%252Fig%252Fmodules%252Fapiskins%252Fteahouse.xml%26skindx%3Dix%3A8%26hl%3Den%26fp%3DDNtYX5r8HII&hl=en&uj=stephen%40gmail.com&vp=http%3A%2F%2Fwww.google.co.uk%2Fig%2Ftalk_xpc_blank.html&host=1&zx=g7ysernshr3a#119964604473264759].
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Top
stephenjpc
Posts: 4
Joined: Fri Feb 04, 2011 10:58 am

Re: XSS identified in Google Chat with NS 2.1.0.6rc5

Post by stephenjpc »

Issue resolved with rc6, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Top
stephenjpc
Posts: 4
Joined: Fri Feb 04, 2011 10:58 am

Re: XSS identified in Google Chat with NS 2.1.0.6rc5

Post by stephenjpc »

Now there's the same problem with rc9. :(
Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Top
User avatar
Giorgio Maone
Site Admin
Posts: 9527
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:
Contact Giorgio Maone

Re: XSS identified in Google Chat with NS 2.1.0.6rc5

Post by Giorgio Maone »

Refixed in rc10 :)
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Top
stephenjpc
Posts: 4
Joined: Fri Feb 04, 2011 10:58 am

Re: XSS identified in Google Chat with NS 2.1.0.6rc5

Post by stephenjpc »

Thanks again Giorgio, and more generally for all your work with the best browser add on bar none.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Top
Post Reply

Return to “NoScript Development”