Weather site blocked even when NS is turned off

[Thurston S Howell]

This site's doppler radar (image, animated, etc) won't display even when NoScript is set to globally allow scripts:

http://baynews9.com/content/news/baynew ... radar.html

If I disable the Firefox plugin, it works fine. I don't know what to modify in the settings to allow this one site as whitelisting it did not correct the problem.

Thank you for listening.

T.H.

[therube]

Using a hammer, setting noscript.xss.checkInclusions (about:config) to false gets it working.

So I guess an exception is in order.
(I'll leave that to others.)

Adding s3.amazonaws.com/ to noscript.xss.checkInclusions.exceptions works, but (maybe) that is again too broad? (Ball-peen instead of a mallet.)

Code: Select all

Blocking reflected script inclusion origin XSS from http://baynews9.com/content/news/baynews9/weather/klystron-9-radar.html: https://s3.amazonaws.com/static.baron.web.apps/digitial_wx/widgets/dcms/be2ed1b3-58c4-4742-a921-fd8a5084afa6/live/init.js
embedded by
http://s3.amazonaws.com/static.baron.web.apps/digitial_wx/pages/n2.adaptive/map/index.html?initjson=https://s3.amazonaws.com/static.baron.web.apps/digitial_wx/widgets/dcms/be2ed1b3-58c4-4742-a921-fd8a5084afa6/live/init.js&initjsonvar=initdata

[Thurston S Howell]

How did you perform that analysis to determine the source of the problem script?

[barbaz]

The message in the code block shows up in the Browser Console (Ctrl-Shift-J); from there you just have to know what the message means, and whether it's an actual threat or just a false positive / bad site design, and what to do in each case
In this case, since you didn't know what the message meant, probably it was best to ask for help here. That's what I would have done in your place after finding that any XSS exceptions added in the GUI had no effect on this.

[Thrawn]

The number-one question in my mind is: does this poor site design mean that the site is actually vulnerable to XSS?