Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/search] from [moz-nullprincipal:{[i]<some number>[/i]}]: transformed into a download-only GET request.
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/do/search] from [moz-nullprincipal:{[i]<some number>[/i]}]: transformed into a download-only GET request.
I observed this with NoScript 2.9.5.1 on Firefox 50.[NoScript XSS] Sanitized suspicious upload to [https://searx.laquadrature.net/] from [moz-nullprincipal:UUID_HERE]: transformed into a download-only GET request.
Code: Select all
checkPost: function(channel, skip) {
if (!((channel instanceof Ci.nsIUploadChannel)
&& channel.uploadStream && (channel.uploadStream instanceof Ci.nsISeekableStream)))
return false;
var clen = -1;
try {
clen = chan.getRequestHeader("Content-length");
} catch(e) {}
MaxRunTime.increase(clen < 0 || clen > 300000 ? 60 : Math.ceil(20 * clen / 100000));
this.log("Extracting post data...");
return this.checkPostStream(channel.URI.spec, channel.uploadStream, skip);
},
Code: Select all
let stripPost = trustedTarget && originDomain && !trustedOrigin && ns.filterXPost &&
ns.getBaseDomain(originDomain) === ns.getBaseDomain(targetDomain);
Code: Select all
if (!(browserReq || res.fatal) &&
this.siteEnabled && channel instanceof Ci.nsIHttpChannel &&
!ABE.reqData(channel).preflght &&
req.destinationURI.schemeIs("https") &&
req.destinationURI.prePath != req.originURI.prePath &&
!(this.skipBrowserRequests && req.originURI.schemeIs("chrome") && !req.window) // skip preflight for window-less browser requests
) {