[SOLVED] XSS-Protection blocks zattoo.com livestreaming

[Mad55]

If I access zattoo.com and try to view a channel, I recieve an error. Log tells:

Code: Select all

[NoScript] Blocking cross-site Javascript served from https://jquery-json.googlecode.com/files/jquery.json-2.2.min.js with wrong type info application/x-elc, attachment; filename="jquery.json-2.2.min.js" and included by http://zattoo.com/view#

I tried to exclude this query from XSS checking by adding:

Code: Select all

^https://jquery-json\.googlecode\.com/files/*

But this did not work.

Any suggestions?

[Thrawn]

Ick, this again. This site is using a very BAD method of serving up their JavaScript: they are linking to a code repository, where anyone could submit any kind of nasty they want. And the problem occurs because that repository correctly reports to the browser that this file is meant to be downloaded as an attachment, not included in the page, and NoScript respects that.

There is a workaround in this thread. A similar issue occurred in http://forums.informaction.com/viewtopi ... 34&p=39429.

You may also want to report this to the zattoo webmaster.

[Mad55]

Thanks for the links, they solved the issue for me.