This is from earlier in the month, and the Firefox console:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///o/oauth2/postmessageRelay?parent=https://basecamp.com&jsh=m;/_/scs/apps-static/_/js/k=oz.gapi.en_US.íGJrzvn5U.O/m=__features__/am=AQ/rt=j/d=1/rs=AGLTcCNDMcYVtrNM4guCjDss7jZkH0jDDg#rpctoken=399310344&forcesecure=1
(function anonymous(
) {
_/scs/apps-static/_/js/k==oz.gapi.en_US.íGJrzvn5U.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fbasecamp.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en_US.QeDGJrzvn5U.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCNDMcYVtrNM4guCjDss7jZkH0jDDg#rpctoken=399310344&forcesecure=1] requested from [https://basecamp.com/2185750/projects/13130887]. Sanitized URL: [https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fbasecamp.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%20oz.gapi.en_US.Q20GJrzvn5U.O%2Fm%20__features__%2Fam%20AQ%2Frt%20j%2Fd%201%2Frs%20AGLTcCNDMcYVtrNM4guCjDss7jZkH0jDDg#1376205676711909799].This is another error that I got shortly later. I am now getting this error (or one very similar to it) most of the time I try to download a file.
Code: Select all
This XML file does not appear to have any style information associated with it. The document tree is shown below.
SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.GET
1501722695
/bcx_production_attachments/c7b7aa69874749ddedec22200329aa950010 This is the response I got from Basecamp:
I suspect that the XSS error comes about when the Basecamp page tries to rename the GUID/gibberish file hosted on Google. I am able to have DownThemAll download the files without error, and they use the intended filenames, not the gibberish ones.This error you're seeing is because Basecamp's files are hosted by Google Cloud Services (GCS) and happens if the link you get to download a file from GCS expires.
Let's say you want to download a file from Basecamp. You'd normally go to an URL like this, clicking on the Download link: https://basecamp.com/1679267/projects/2 ... 8/download
This is a Basecamp URL, so when you access that, we check that you are signed in and have permission to see that file. Clicking on it, you are taken to this other URL, referencing the original file: https://asset1.basecamp.com/1679267/pro ... attachment
Again, another Basecamp URL that only works only if you are signed in and have permission to download the file. However, since we are hosting our files in GCS, this is where Basecamp territory ends. The response from requesting that URL is not the file, but a 302 redirection to a signed GCS URL that only works for a limited amount of time. That URL looks like this:
https://storage.googleapis.com/bcx_prod ... MGE8TUgTaJ...
That URL is from Google, and anybody can access the file if they have this specific URL. Over at googleapis they have no way of checking Basecamp credentials, permissions, etc. We then issue a signed URL that only works for a little while. If you wait some time, that will stop working, and the signature is different every time you try to download the same file.
I think what is happening to you with this error message is simply that you've got a googleapis URL for a file, that has since expired. This is redirection to GCS is also likely what is causing NoScript to throw warning messages.
Aside from visiting this website in IE and stripping away the protections I have put into my browser, what can I do to address this issue?
On a side note, I'm starting to come across XSS warnings from NoScript much more frequently. Will there ever be a GUI listing mechanism for XSS like there is with allowing or forbidding scripts from domains?
