[RESOLVED] basecamphq.com xfer to 123.writeboard.com blocked

[jwalling]

NoScript 2.6.9.10rc2
Browser is FireFox on Ubuntu

With NoScript enabled, I am unable to connect from
accountname.basecamphq.com to 123.writeboard.com
when I click on a Writeboards document link in Basecamphq.

I tried whitelisting both urls but I get stopped by a XSS warning and a password challenge.
How can I figure out what to whitelist if it is not obvious?
The error console messages are overwhelming - I see nothing obvious to help with a whitelist.

If I disable NoScript, I am able to make the Writeboard connection w/o delay.

[barbaz]

How can I figure out what to whitelist if it is not obvious?
The error console messages are overwhelming - I see nothing obvious to help with a whitelist.

NoScript related messages sometimes go by REALLY fast in the Error Console due to tremendous numbers of CSS warnings so you may need to run a video capture of it with the Messages tab open while the XSS warning is triggering then attempt to type the results here afterwards...
(InjectionChecker messages can have a horribly long regexp after the word 'matches' which you can skip typing that if you want )

Also XSS whitelists are regular expressions that get manually typed in @ NoScript Options > Advanced > XSS - so it's completely separate from normal whitelisting

[jwalling]

I posted NoScript console messages here
https://titanpad.com/FvH1xv6Qw4

[Giorgio Maone]

You can work around by adding this line to your NoScript Options|Advanced|XSS|Exceptions box:

Code: Select all

^https://\d+\.writeboard\.com/\w+/login$

[EDIT]: fixed the regular expression typo

[jwalling]

When I added to the XSS Exception box

Code: Select all

^https://\d+\.writeboard\.com/\b+/login$

or added

Code: Select all

^https?://\d+\.writeboard\.com/\b+/login$

All the other entries in the Exception box turned RED

These are the other entries

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$

I assume RED means there is a problem

Nb: When I duplicated the last entry, it did not cause the other entries to turn RED.

Am I missing or misinterpreting something?

[barbaz]

I assume RED means there is a problem

RED means there's an invalid regex in XSS Exceptions

In this case, it's likely because

Code: Select all

\b+

is not valid regular expression syntax...

Try replacing '\b+' with

Code: Select all

[0-9A-Za-z]+

[jwalling]

Success!
basecamphq.com xfer to 123.writeboard.com worked
by adding this RegEx to XSS exceptions:

Code: Select all

^https?://\d+\.writeboard\.com/[0-9A-Za-z]+/login$

Thanks for quick responses.

[Giorgio Maone]

Code: Select all

\b+

is not valid regular expression syntax...

I meant \w+, sorry for the typo