Other exceptions to XSS needed? Plus 2nd Q

[glnz]

Dear NoScript team: Not a tech person, so the more advanced features of NS are ... well ... too advanced for me. But I notice your new update says "Fixed XSS false positive on the new gmx.com webmail login."

This reminds me that, on Firefox with NS, I've had a lot of XSS blocks when trying to log onto blogs and forums maintained by Lithium, including the forum for Verizon DSL and others. Verizon finally suggested that I add this exception:
^https://signin.verizon.com/sso/authsso/ ... yLogin.jsp
and it works. But the same issue continues to appear elsewhere.

Is this the same issue as "Fixed XSS false positive on the new gmx.com webmail login"?

Maybe there's a need for a request line from us to you asking for help when we can't log onto forums due to XSS blocks.

Since I'm writing, there's also a different issue: Sometimes I just want to permit everything on a website or web page. When I hit "Temporarily allow all this page", it works only for the scripts that had already tried to run. Now, it permits them, but if additional scripts get triggered, they get blocked unless I hit "Temporarily allow all this page" again, and again, and again. Could there be a super-button for "Temporarily allow all this page AND I MEAN IT" that pulls all of NS back so that we don't have to keep hitting "Temporarily allow all this page"?

Thanks.

[barbaz]

Could there be a super-button for "Temporarily allow all this page AND I MEAN IT" that pulls all of NS back so that we don't have to keep hitting "Temporarily allow all this page"?

It's called "Scripts Globally Allowed (dangerous)".
You can emulate that per-tab by tweaking auto reload settings in about:config (but be careful doing that).

Also, FYI you can configure a hotkey for Temporarily allow all this page to make it easier to do that repeatedly.

[Thrawn]

Verizon finally suggested that I add this exception:
^https://signin.verizon.com/sso/authsso/ ... yLogin.jsp
and it works. But the same issue continues to appear elsewhere.

You would be safer with:

Code: Select all

^https://signin\.verizon\.com/sso/authsso/communityLogin\.jsp$

Is this the same issue as "Fixed XSS false positive on the new gmx.com webmail login"?

Hard to say. Can you look in Tools-Web Developer-Browser Console (or Ctrl+Shift+J) for any lines starting with [NoScript XSS] and paste them here? Preferably inside [ code ] tags.

[barbaz]

Could there be a super-button for "Temporarily allow all this page AND I MEAN IT" that pulls all of NS back so that we don't have to keep hitting "Temporarily allow all this page"?

Also, new in NS 2.6.8.26: (from http://forums.informaction.com/viewtopi ... 701#p69787)

"Cascade parent document's permissions to 3rd party scripts" (noscript.cascadePermissions)

• If /true/, user will just need to allow/forbid the top-level document's origin or forbid it, to block/unblock all the scripts on the page (including those in subdocuments): also, in order to avoid confusion, when this mode is active the NoScript menu will show Forbid/Allow commands for the top-level origin only (currently in bold).
• If /false/, current behavior which allows full granularity to forbid/allow scripts by their origin will be kept.
• In either case, subdomain scripts from 'untrusted'/blacklisted sites will continue to be blocked, and if the user has selected to enable the "Untrusted" NoScript appearance option, these subdomain blacklist choices will still be displayed.
• NoScript will provide an associated configuration UI control for this preference.

so, you could also now try toggling "noscript.cascadePermissions" in about:config when you want that behavior