False positive in the new firefox persona sign in

Rika Pi · Post by **Rika Pi** » Tue Jan 21, 2014 1:13 pm

Hello,
I am a new user of NoScript so I apologize on my general newbines,
But I would like to report that NoScript has a false positive on its XSS Blocking in webmaker.org and beta.openbages.org
When I tried to log in using persona NoScript Blocked me on the grounds of suspected XSS.
I hope that some one may help me on this.
like how can I put an exception for it?

Thanks in advanced

Post by **barbaz** » Tue Jan 21, 2014 1:48 pm

read messages in the browser console (ctrl-shift-j) and see http://forums.informaction.com/viewtopi ... =7&t=17774 for how to make exception
if you can't figure it out, post here the related console messages

Post by **Giorgio Maone** » Tue Jan 21, 2014 2:19 pm

I couldn't reproduce on either website.
Please look for any "[NoScript..." message in your browser console (ctrl+shift+J) and report back here, thank you.

Rika Pi · Post by **Rika Pi** » Tue Jan 21, 2014 4:13 pm

what i got from my browser console. Also did not appear this time. So I guess it's fixed? I clicked ignore a bunch of times...

GET https://gmail.login.persona.org/provision [HTTP/1.1 200 OK 1659ms]
Security Error: Content at https://gmail.login.persona.org/ may not load data from https://login.persona.org/sign_in.
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead. provision
This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.

Post by **Giorgio Maone** » Tue Jan 21, 2014 5:01 pm

Rika Pi wrote:what i got from my browser console. Also did not appear this time. So I guess it's fixed? I clicked ignore a bunch of times...

GET https://gmail.login.persona.org/provision [HTTP/1.1 200 OK 1659ms]
Security Error: Content at https://gmail.login.persona.org/ may not load data from https://login.persona.org/sign_in.
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead. provision
This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.

Those messages are not from NoScript, but from Firefox itself.
Looks like they've got a semi-obsolete CSP configuration and the browser complains about it.

Rika Pi · Post by **Rika Pi** » Wed Jan 22, 2014 10:28 am

Well I guess I have no more problem sorry to disturb you all.

InformAction Forums

False positive in the new firefox persona sign in

False positive in the new firefox persona sign in

Re: False positive in the new firefox persona sign in

Re: False positive in the new firefox persona sign in

Re: False positive in the new firefox persona sign in

Re: False positive in the new firefox persona sign in

Re: False positive in the new firefox persona sign in