XSS on YouTube

Ask for help about NoScript, no registration needed to post
Guest

Re: XSS on YouTube

Post by Guest »

1. Why does the XSS notification bar appear on the top even though I configured noscript to show notifications on bottom in the options?

2. Why doesn't noscript have an option to have icons appear in the urlbar to notify the user instead of displaying a notification bar?
Mozilla/5.0 (Windows NT 5.0; rv:12.0) Gecko/20100101 Firefox/12.0
anonymoususer
Posts: 1
Joined: Fri Sep 20, 2013 4:23 am

Re: XSS on YouTube

Post by anonymoususer »

I confirm this is affecting me aswell I just updated to firefox 24.0 - mozilla firefox for linux mint 1.0. After this update I am having cross site scripting warnings everytime i click on any video on youtube. I assume that this is just an error due to changes in code on firefox's end not being compatible with noscript, but you can never be sure. I am not so much into programming as much as I am into personal security so I don't want to take chances and edit the config like suggested below. I would feel much more safe if noscript support would push out an update or give an official fix to this problem from an admin on this board. I am not going to ever get rid of noscript but I hope this issue can get resolved soon. Thanks for all the help and I love Noscript please keep up the great work.

Some Infos:

Linux Mint 15 x64
firefox 24.0 - for linux mint 1.0
many addons installed including ghostery, noscript, adblock plus, and adblock plus pop-up addon mostly as browser security.

Hope this helps!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
redwolfe_98
Senior Member
Posts: 71
Joined: Wed Apr 22, 2009 6:27 am
Location: South Carolina, USA

Re: XSS on YouTube

Post by redwolfe_98 »

Giorgio Maone wrote:I couldn't reproduce it
i am not experiencing the problem, either..
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
Guest

Re: XSS on YouTube

Post by Guest »

The warning also shows up on Firefox 20.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0
Guest

Re: XSS on YouTube

Post by Guest »

Using Firefox 20, two days ago I was testing this after hearing about it and couldn't reproduce it. At the time I noted down what Request Policy and Noscript was blocking. Here is the list on Sep 18:
Request Policy
  • google.com
    googleusercontent.com
    gstatic.com
Noscript
  • apis.google.com
Still on FX20, today(Sep 20) I tried again and still couldn't reproduce it, however I found a few additional site that Request Policy and Noscript is blocking. The new sites are in addition to the list above:
Request Policy
  • youtube-nocookie.com
    googlesyndication.com
    googletagservices.com
Noscript
  • googlesyndication.com
    googletagservices.com
I allowed googlesyndication.com and googletagservices.com in both Request Policy and Noscript but again couldn't reproduce it.

If it may help, I've never allowed cookies on youtube.com, and this is the first time I've encountered youtube-nocookie.com.
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Guest

Re: XSS on YouTube

Post by Guest »

Hop! I got rid of the XSS warning when I tested the following edited command by adding it on Anti-XSS Protection Exceptions :o

^https?://(?:www\.)?(youtube\.com/)?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS on YouTube

Post by Giorgio Maone »

For whoever missed it, a stopgap solution is here.
I'm gonna add a structural work-around in next version, now please stop adding to this thread unless the above doesn't work for you.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS on YouTube

Post by Giorgio Maone »

Please check latest development build 2.6.8rc1, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: XSS on YouTube

Post by Thrawn »

If we're going to have an XSS exception for this, then I'd recommend also having an ABE rule to protect it, since it may allow actual XSS.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS on YouTube

Post by Giorgio Maone »

Thrawn wrote:If we're going to have an XSS exception for this, then I'd recommend also having an ABE rule to protect it, since it may allow actual XSS.
It's a built-in exception which checks both the origin and the target, therefore it's equivalent to having a restrictive rule like the one you're proposing.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
User avatar
cartel
Junior Member
Posts: 46
Joined: Sun Jul 14, 2013 11:31 pm

Re: XSS on YouTube

Post by cartel »

Any updates on this?
I'm on Palemoon 24.01 and I tried
^https://plus\.googleapis\.com/_/im/_/widget/render/comments\?
^https://apis\.google\.com/u/0/_/widget/render/comments\?

But I still get the warning. What I'm also seeing is a blue drop down just like the warning bar that is blue and has some advertising text on it.
Its like a slide in on the top of the browser windows at Youtube

Thanks


edit
I found a image of the blue bar and how to remove it using adblock?

http://www.youtube.com/watch?v=TXenC_9VCiI
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130917 Firefox/24.0 PaleMoon/24.0.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: XSS on YouTube

Post by Thrawn »

Giorgio Maone wrote:
Thrawn wrote:If we're going to have an XSS exception for this, then I'd recommend also having an ABE rule to protect it, since it may allow actual XSS.
It's a built-in exception which checks both the origin and the target, therefore it's equivalent to having a restrictive rule like the one you're proposing.
OK :)
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
Mastacheata
Posts: 6
Joined: Tue Jan 04, 2011 9:49 am

Re: XSS on YouTube

Post by Mastacheata »

Giorgio Maone wrote:Please check latest development build 2.6.8rc1, thanks.
XSS notifications are gone (that part was ok with the manual exception rule as well) and the most important part: Navigating between different videos on youtube works again!
Thank you very much.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
redwolfe_98
Senior Member
Posts: 71
Joined: Wed Apr 22, 2009 6:27 am
Location: South Carolina, USA

Re: XSS on YouTube

Post by redwolfe_98 »

giorgio, you said for people to stop posting to this thread, however i want to say again that i am not experiencing the same problem with build 2.6.7.1 so i am wondering if the "problem" isn't being caused by some other addon that people are using, in addition to "noscript"..

after reading the other posts, where people said that they were concerned about allowing XSS, i am leary of using the new built 2.6.8.1..

also, if google caused the problem, with the way that they had the "youtube" setup, i am thinking that maybe they fixed the problem..
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS on YouTube

Post by barbaz »

@redwolfe_98:
redwolfe_98 wrote:after reading the other posts, where people said that they were concerned about allowing XSS, i am leary of using the new built 2.6.8.1..
I think you can turn the exception off by going to about:config and setting noscript.filterXExceptions.yt_comments to false, see http://forums.informaction.com/viewtopi ... 111#p48111
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 SeaMonkey/2.21
Post Reply