Session IDs in url

[Sabroni]

Hi,

I support some old mobile sites from the days of WAP. When first accessing these sites they redirect the browser to the same url but with the session id embedded in the url (this is standard practice for old .Net mobile apps from the days when most phones didn't accept cookies).
Recently I've spotted that if I try and visit these sites in Firefox with NoScript I instead get the message "The Resource could not be found" from the server, with the message "NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome:]. Technical details have been logged to the Console."
If I look in the console I see two messages:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///aa/road/(S(fku5v155vxkzjcahkd00fo55))/roadroutestart.aspx
(function anonymous() {aa / road / S(fku5v155vxkzjcahkd00fo55) / roadroutestart.aspx;DUMMY_EXPR;})

and

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.mysite.com/aa/road/(S(fku5v155vxkzjcahkd00fo55))/roadroutestart.aspx] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.mysite.com/aa/road/%20S%20fku5v155vxkzjcahkd00fo55%20%20/roadroutestart.aspx#9664221400706349466].

Originally asp.net would just embed the session id in the url between forward slashes, but since .net 2 it puts them in brackets, wrapped in another set of brackets with "S" at the start like this: (S(fku5v155vxkzjcahkd00fo55)).

Is there an easy way to disable this checking for this specific domain? I could switch to another browser but I'd rather stay with firefox if there's an easy rule or setting to get around this. The domain is already whitelisted in NoScript.

Cheers
Sab

[Thrawn]

If I look in the console I see two messages:

NoScript is telling you that those URLs look a whole lot like JavaScript, which they do, and which isn't normal for a URL.

Originally asp.net would just embed the session id in the url between forward slashes, but since .net 2 it puts them in brackets, wrapped in another set of brackets with "S" at the start like this:

That is an incredibly BAD design decision on Microsoft's part...don't know whether Giorgio could implement a safe workaround for it.

Is there an easy way to disable this checking for this specific domain? I could switch to another browser but I'd rather stay with firefox if there's an easy rule or setting to get around this. The domain is already whitelisted in NoScript.

Yes, if you know regular expressions. It's in the FAQ. Options-Advanced-XSS.