NoScript bug https://yandex.ru/video/

Ask for help about NoScript, no registration needed to post
Hobbix
Posts: 7
Joined: Tue Jan 24, 2017 5:20 am

NoScript bug https://yandex.ru/video/

Post by Hobbix »

Visit here: https://yandex.ru/video/
I get a message about the XSS-attack. Video on the page does not load.

NoScript version: 2.9.5.3
Firefox 50.1.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Hobbix
Posts: 7
Joined: Tue Jan 24, 2017 5:20 am

Re: NoScript bug https://yandex.ru/video/

Post by Hobbix »

I added an exception rule, which has helped:

Code: Select all

^https://yastatic.net/video-player/?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
barbaz
Senior Member
Posts: 11141
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript bug https://yandex.ru/video/

Post by barbaz »

But is it safe?

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-
Hobbix
Posts: 7
Joined: Tue Jan 24, 2017 5:20 am

Re: NoScript bug https://yandex.ru/video/

Post by Hobbix »

barbaz wrote:But is it safe?
I do not know, please correct this rule, if required.
barbaz wrote:Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
I can not paste the code to the forum, I receive an error:

Code: Select all

Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.
I see this in the console (screenshot):
Image
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
barbaz
Senior Member
Posts: 11141
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript bug https://yandex.ru/video/

Post by barbaz »

Ick. That's no bug in the XSS filter, it's doing its job. Putting HTML in a URL is just begging to be XSSed.

I'd change that exception to

Code: Select all

^@https://yandex.ru/video/
See the sticky for more info on XSS exceptions.

Moving to NoScript Support.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply