NoScript bug https://yandex.ru/video/

[Hobbix]

Visit here: https://yandex.ru/video/
I get a message about the XSS-attack. Video on the page does not load.

NoScript version: 2.9.5.3
Firefox 50.1.0

[Hobbix]

I added an exception rule, which has helped:

Code: Select all

^https://yastatic.net/video-player/?

[barbaz]

But is it safe?

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

[Hobbix]

But is it safe?

I do not know, please correct this rule, if required.

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

I can not paste the code to the forum, I receive an error:

Code: Select all

Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.

I see this in the console (screenshot):

[barbaz]

Ick. That's no bug in the XSS filter, it's doing its job. Putting HTML in a URL is just begging to be XSSed.

I'd change that exception to

Code: Select all

^@https://yandex.ru/video/

See the sticky for more info on XSS exceptions.

Moving to NoScript Support.