New gmx web interface

[Luigi]

Hello,
2.8.24 breaks the new gmx.com web interface due to XSS.
I wish there was a way to whitelist it, it keeps asking me for confirmation.

It can be tested even without an account, problem being on login.

Regards

[therube]

URL to gmx?

What is the XSS message in Error Console?

[Luigi]

URL to gmx?

https://www.gmx.com, as I said you can use fake login credentials
and this error will still show up.

What is the XSS message in Error Console?

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://login.gmx.com/login#.1559516-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.com%2Flogin] from [https://www.gmx.com/]: transformed into a download-only GET request.
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery.min.js:3
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:64
Blocked loading mixed active content "http://s.uicdn.com/gmx.com/current/min/lib-head-final.js"
Blocked loading mixed active content "http://s.uicdn.com/gmx.com/current/min/default-final.css"
Blocked loading mixed active content "http://s.uicdn.com/gmx.com/current/min/lib-body-end-final.js"
Loading mixed (insecure) display content on a secure page "http://s.uicdn.com/gmx.com/current/img/favicon.ico"

[Giorgio Maone]

Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^@https://www.gmx.com/

[Guest]

Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^@https://www.gmx.com/

Thanks, that did the trick.

[Giorgio Maone]

Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^@https://www.gmx.com/

Thanks, that did the trick.

You can drop the exception and check latest development build 2.6.8.25rc1 instead, now, thanks.

[Luigi]

Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^@https://www.gmx.com/

Thanks, that did the trick.

You can drop the exception and check latest development build 2.6.8.25rc1 instead, now, thanks.

Works for https, but not http

[Giorgio Maone]

Works for https, but not http

NoScript Options|Advanced|HTTPS, force .gmx.com.

[LeeB]

^@https://www.gmx.com/
^@https://gmx.com/
^@https://s.uicdn.com
^@http://www.gmx.com/
^@http://gmx.com/
^@http://s.uicdn.com

[Giorgio Maone]

^@https://www.gmx.com/
^@https://gmx.com/
^@https://s.uicdn.com
^@http://www.gmx.com/
^@http://gmx.com/
^@http://s.uicdn.com

Oh well, then just

Code: Select all

^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/

[NS User]

Thanks Giorgio, the dev build fixed the GMX login (https)

I thought I`d been hacked, phished or some other awful disaster when I first saw it.

[Luigi]

^@https://www.gmx.com/
^@https://gmx.com/
^@https://s.uicdn.com
^@http://www.gmx.com/
^@http://gmx.com/
^@http://s.uicdn.com

Oh well, then just

Code: Select all

^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/

I'm confused. Do I have to ad that rule even on the devel preview?

[Giorgio Maone]

Code: Select all

^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/

I'm confused. Do I have to ad that rule even on the devel preview?

Only if you still have got problems after forcing HTTPS on .gmx.com.

[Luigi]

Code: Select all

^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/

I'm confused. Do I have to ad that rule even on the devel preview?

Only if you still have got problems after forcing HTTPS on .gmx.com.

I had to login twice every time, that line seems to have solved that.

[Giorgio Maone]

Included in NoScript 2.6.8.25.
The built-im implementation is slightly safer, thus please remove the hand-made exception.