unsafe reload only partially works

[zbowling]

I get warned about possible XSS here.

http://www.buzzfeed.com/gustavoa/tools-using-tools-4bf

Using "Unsafe reload" doesn't entire fix the issue.

[Grumpy Old Lady]

Oh, if a person's determined enough they can dig through that mess.
Using a clean profile with default NS 1.9.7.9, once the first reload unsafe was done, if I opened the frame on its own and reload unsafe, allow, then reload unsafe again and voila! a flash placeholder.

Without NS, those messy scripts take up enough processing real estate that the UI in this small portable is basically frozen.
Same in 3.5.1
Thank heavens for NS.

Apologies for being a little off topic.
There will be help here soon I'm sure :-)

[Giorgio Maone]

@zbownling:
you shouldn't get those warnings in first place, because the request injecting embed elements is not cross-site.
That's likely an actual bug that I'm investigating (XSS checks should be only for cross-site requests, by default), but it's apparently unrelated to your report.

However the site is actually vulnerable to XSS "by design", and unsafe reload is working as expected for me (i.e. it reloads the offending frame without the XSS filters).
Then I need to allow the frame content, which is a Flash embed, but that's another story.

Could you define "partially", i.e. what you expected from unsafe reload and what you're getting instead.

[therube]

(Note that there are two domains, buzzfeed.com & buzzfed.com.)

With my current settings, I get all kinds of weirdness.
buzz* not Allowed, everything in Plugins checkmarked

buzzfeed comes up with Unsafe Reload
OK the Unsafe Reload
a buzzfed URL comes up with "http://www.buzzfed.com/embed/_script?tag=" displaying
if I Allow buzzfed, then another Unsafe Reload
with this displaying:

Code: Select all

object width 425 height 344 > param NAME movie value http://www.youtube.com/v/-Frk2H-g3CQ&color1 0xb1b1b1&color2 0xcfcfcf&hl en&feature player_embedded&fs 1 > /param> param NAME allowFullScreen value true > /param> param NAME allowScriptAccess value always > /param> embed src http://www.youtube.com/v/-Frk2H-g3CQ&color1 0xb1b1b1&color2 0xcfcfcf&hl en&feature player_embedded&fs 1 type application/x-shockwave-flash allowfullscreen true width 425 height 344 > /embed> /object>

OK the Unsafe Reload
& the Flash placeholder comes up (Youtube)
Allow that & the car is all wet

---

if I Allow buzzfeed & buzzfed, the Unsafe Reload goes away, but then so does the Flash placeholders (which do show if everythng is Not allowed

---

if I uncheck <I/FRAME> & also Apply these restrictions to trusted sites too
Allow buzz* ...

suffice to say, all kinds of craziness going on.

I'll get the "code" for the Flash rather then the place holders (in the "buzzfeed" web page - different from above)

Code: Select all

object width 425 height 344 > param NAME movie value http://www.youtube.com/v/-Frk2H-g3CQ&color1 0xb1b1b1&color2 0xcfcfcf&hl en&feature player_embedded&fs 1 > /param> param NAME allowFullScreen value true > /param> param NAME allowScriptAccess value always > /param> embed src http://www.youtube.com/v/-Frk2H-g3CQ&color1 0xb1b1b1&color2 0xcfcfcf&hl en&feature player_embedded&fs 1 type application/x-shockwave-flash allowfullscreen true width 425 height 344 > /embed> /object>

[Giorgio Maone]

(Note that there are two domains, buzzfeed.com & buzzfed.com.)

Thanks, I utterly missed that.
It means there's no NoScript bug here