Welcome .mario
.mario wrote:I hope this is the right place
When you're in doubt if it's some sort of vulnerability, my email is a better choice.
If it's an usability bug or a RFE (like in this case), this place is perfect.
.mario wrote:
I did some testing with JAR files on remote locations and src attributes for script tags. Resulting in this example:
Code: Select all
<script src="jar://sites.google.com/site/jartest00mario/xss.jar!/attack2.js"></script>
[...]
'Block JAR remote resources being loaded as documents' was checked during testing. I assume this is not expected behavior.
This is actually the expected behavior, since the "Block JAR remote resources being loaded
as documents" is meant to block
documents, not scripts, and copes with an entirely different kind of potential attack scenario, i.e. a web site you want to XSS allows uploading of JARs but not publishing HTML pages, and you manage to sneak in HTML document inside a JAR and XSS the site.
So there's no NoScript bug here, but however I find Google's liberality with file types a bit disturbing and I can clearly see where you're going.
Therefore I'm considering yours as a RFE to block resources (scripts, CSS, whatever) from within JARs to be imported cross-site.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
.