Rather than whitelisting and blacklisting sites, I allow scripts globally and use NoScript primarily for the XSS, Clear Click and ABE protections.
Occasionally I will load a website and instead of adverts, I will see a load of HTML source without the opening < on each tag. I've gone through the various tick boxes in NoScript, and cannot make those particular adverts show up correctly unless I disable NoScript outright.
Now, I am assuming that these adverts are being modified by NoScript due to some security reason, but I am interested to know what that reason would be.
Here are a couple of examples of the same webpage. One shows NoScript in 'Allow Scripts Globally' mode, the other shows NoScript uninstalled.
NoScript uninstalled show Adverts on the Telegraph website
http://theten.co.uk/noscript-uninstalled.png
NoScript installed, but in allow all mode, converts adverts to html code
http://theten.co.uk/noscript-allowscriptsglobally.png
So why does this happen? What is being blocked?
Why are some adverts replaced with HTML code?
Why are some adverts replaced with HTML code?
Last edited by barbaz on Fri Jul 24, 2015 4:26 pm, edited 1 time in total.
Reason: linkify images that were loading too slowly
Reason: linkify images that were loading too slowly
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Re: Why are some adverts replaced with HTML code?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Why are some adverts replaced with HTML code?
Sorry, I'm still confused as those links don't answer the question. Both those threads report the same behaviour, but neither explains why NoScript is actually blocking the adverts, which is what I'm asking.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Re: Why are some adverts replaced with HTML code?
Sure they do. Did you actually read the whole threads (particularly the second)?01i wrote:but neither explains why NoScript is actually blocking the adverts
Feel free to ask for clarification afterwards.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Why are some adverts replaced with HTML code?
Oh, so it seemingly would be XSS related.
I've seen that around, but never bothered with why it might or might not be there.
(I've probably mentioned elsewhere, but IMO, XSS related stuff ought to be more easily determinable.)
I've seen that around, but never bothered with why it might or might not be there.
(I've probably mentioned elsewhere, but IMO, XSS related stuff ought to be more easily determinable.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
Re: Why are some adverts replaced with HTML code?
Those threads make sense, but they don't really explain what's going on, what I can really make from them is that you think that http://tpc.googlesyndication.com is vulnerable to XSS and should be added to ABE with a deny rule. If I do that, then the google ads that were being converted to html, just get converted to a white space and an ABE error message instead.
Nothing has really been "fixed".
http://tpc.googlesyndication.com is a domain owned and hosted by google, and is a part of the google advertising system, used for serving certain types of rich ads, or tracked ads. Also, by blocking this domain, all google ads served through it are blocked, rather than just adverts that NoScript converts to code. I have also learned that these ads typically have a high click-through rate, so blocking them is a dis-service to the website owner
While typing this I've done a bit of research, and this webpage explains what is going on.
http://www.iab.net/safeframe/safeframe_infographic
Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.
Nothing has really been "fixed".
http://tpc.googlesyndication.com is a domain owned and hosted by google, and is a part of the google advertising system, used for serving certain types of rich ads, or tracked ads. Also, by blocking this domain, all google ads served through it are blocked, rather than just adverts that NoScript converts to code. I have also learned that these ads typically have a high click-through rate, so blocking them is a dis-service to the website owner
While typing this I've done a bit of research, and this webpage explains what is going on.
http://www.iab.net/safeframe/safeframe_infographic
Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Re: Why are some adverts replaced with HTML code?
Well, the *real* fix is for the ads to not use/rely on inherently unsafe practices.01i wrote:Nothing has really been "fixed".
You've already got the choice, but I do NOT recommend choosing to allow that because what it's doing is NOT safe. I'm also not completely sure how, but since you REALLY seem to want to do this.. see what this does?01i wrote:Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.
NoScript Options > Advanced > XSS, add to Anti-XSS Protection Exceptions
Code: Select all
^https?://tpc\.googlesyndication\.com/safeframe
*Always* check the changelogs BEFORE updating that important software!
-
Re: Why are some adverts replaced with HTML code?
The actual answer to "why does the HTML code appear?" is that it's probably a side effect of the way NoScript blocks the XSS vulnerability. NoScript alters the request to neutralise the suspicious payload, and the page is very unwisely dumping the result into its own code, so it makes sense that what was supposed to be markup (controllable by any other site!) becomes non-markup.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0