Whitelisting XSS

[ronin]

I seem to be having issues with white listing sites for XSS. If i want to allow all traffic from a site such as www.foo.com what is the proper rule to place. I don't quite understand the meta characters needed to allow all content from a particular site. I tried to follow a couple of the examples but have to do an unsafe reload almost every time. This is most frustrating that I am tempted to disable completely or use another browser for visiting a particular trusted site that is employing XSS.

Thanks in advance.

[barbaz]

See the sticky for details.
Basically, it boils down to the fact that you need to know regular expressions to make XSS exceptions. Personally I learned regex from this tutorial. I'll post a couple of basic examples anyway, you can reuse those patterns in the mean time.

If you want to allow all requests originating from a site (I'll use www.foo.com as an example too), you need to make a regular expression which matches "@" followed by its URL. Assuming you trust all other subdomains of foo.com as well as foo.com itself, this would be what you enter in NoScript Options -> Advanced -> XSS -> XSS exceptions:

Code: Select all

^@https?://(?:[^/:]+\.)?foo\.com[^0-9A-Za-z%_\.-]

Otherwise, if you want strict protocol+domain+port matching (recommended wherever possible as stricter is better) - if, say, you want to allow all XSS from "https://www.foo.com" on the default port, you would use

Code: Select all

^@https://www\.foo\.com/

Hope that helps.

[Thrawn]

The first thing to do is to paste the error console messages here. Giorgio might be able to improve the filter so you don't need the exception.

If the spam filter gets in the way, you can send it to a moderator via private message.

[ronin]

Thanks barbaz, I was close but your example was a great help. If you are missing a critical character it is sometimes difficult to see.