Noscript XSS prevents uploading attachments to Yahoo Mail

[joea64]

I've been having a problem the last month or so with being unable to upload attachments to Yahoo! Mail messages that I was sending out. I'd see a message flash by saying something about a cross-site script thingie being blocked, then an error message on the attachment page saying that Yahoo! Mail can't upload anything bigger than 25MB. This confused me because none of the attachments I was trying to send were larger than 1MB. Finally, today, I managed to stop the page reloading in time to read the message, and what I saw was the following message:

"NoScript filtered a potential cross-site scripting (XSS) attachment from (https://us-mg6.mail.yahoo.com). Technical details have been logged to the Console."

Obviously, this isn't supposed to be happening, because yahoo.com, including mail.yahoo.com, is on my whitelist. I did both antivirus and malware scans last weekend and didn't find anything that looked like an obvious culprit. I'm using Firefox 28.0 (I actually had 29.0.1 for awhile, but backed out to 28.0 because of numerous reported issues with the most recent version) and NoScript 2.6.8.28.

Has anyone else encountered a similar problem, and if so, what's the workaround for it? Will I have to go into XSS (in Options) to fix this, and if so, what should I put in the box?

EDIT: Here's what I got in the Firefox Error Console from my most recent attempt to upload an attachment to an outgoing Yahoo! Mail message:

[NoScript XSS] Sanitized suspicious upload to [https://bf1-attach.mail.yahoo.com/us.f1 ... ----------
(body of message omitted)

] from [https://us-mg6.mail.yahoo.com/neo/b/com ... 2039845448]: transformed into a download-only GET request.
Use of getUserData() or setUserData() is deprecated. Use WeakMap or element.dataset instead. requestNotifier.js:63
POST https://comet.yahoo.com/comet [HTTP/1.1 200 OK 13169ms]
GET http://127.0.0.1:10000/version/ [257ms]
GET http://127.0.0.1:10015/version/ [HTTP/1.0 200 OK 5ms]
GET http://127.0.0.1:10078/version/ [257ms]
GET http://127.0.0.1:10231/version/ [256ms]
GET http://127.0.0.1:10516/version/ [257ms]
GET http://127.0.0.1:10015/btapp/ [HTTP/1.1 200 OK 16ms]
GET http://127.0.0.1:10015/btapp/ [HTTP/1.1 200 OK 10ms]
"trying to connect to an undefined client" timers.js:43

(and this kept repeating)

[barbaz]

Try adding

Code: Select all

^@https://[0-9A-Za-z-]+\.mail\.yahoo\.com/

to NoScript Options -> Advanced -> XSS -> XSS Exceptions

[joea64]

Thank you, barbaz! That did the trick; I tested it just now and uploading attachments to Yahoo! Mail works again.

I'm fairly certain that the problem lies somewhere in the coding of the newest version of Yahoo! Mail that users were required to switch to a couple of months back; before, I think, sometime in April I'd not had any issue with the procedure. And uploading works fine on every other website that I've attempted, so I'm almost certain it was a problem specific to some interaction between the new version of Yahoo! Mail and recent/current versions of NoScript.

[maka]

Try adding

Code: Select all

^@https://[0-9A-Za-z-]+\.mail\.yahoo\.com/

to NoScript Options -> Advanced -> XSS -> XSS Exceptions

OMG I spent many many many hours trying to find a fix for my yahoo mail not working properly when NoScripts was enabled (and I would go without it so I didn't give up) then by fluke I found turning xss off fixed the problem but that's risky so from there I was able to narrow my search down to find problems with yahoo mail in relation to xss and that's when I found your post, Thanks so much, How did you work out the syntax for that!? damn I tried just yahoo.com , You must be a programmer I guess.

[barbaz]

Thanks so much, How did you work out the syntax for that!?

You're welcome.
There is now a sticky documenting how to make XSS exceptions if you're interested. It's basically just regular expressions, which I personally learned from this tutorial.

[Thrawn]

You also have the option of using the mobile version of the site, https://m.yahoo.com/mail