I was on DuckDuckGo looking for some information about an actress and saw her IMDB page, when I clicked this XSS notification showed up but I'm not sure why (I mean, I read the FAQ but I don't know if this is an issue about DDG studying their users or IMDB trying to know from what website I was entering)
NoScript showed me this XSS warning:
NoScript detected a potential Cross-Site Scripting attack
- Sanitize this request (which means just stopping the request so it loads nothing)
- Allow this request
- Always allow requests from https://duckduckgo.com to http://www.imdb.com
What is happening?
---------------------------------------------
NoScript 10.1.3
Firefox Quantum 57.0
Manjaro Linux
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
A similiar "windo.name" warning pops up when you visit imdb.com directly, from imdb to ia.media-imdb.com
I would venture a guess that this is what they coded into imdb, and you accessing it via duck duck go triggers the same event.
Not all XSS is harmful. Allthough it was long understood to be frowned upon because it CAN be abused, sites are starting to use it legitemately.
I just click sanitze and try not to run the scripts that include them.
Though in the case of imdb the warning triggers even without having any scripts running, which I find to be obnoxious.
But I guess the imdb coders just didn't mind.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
it also gives an xss warning when i search "window.name" in the search bar of firefox,
i got first when trying to understand what was this warnng i got on imdb,
and i'm guessing that if i would search for the other warning descriptions i'd get the same warning on google too.
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Guest wrote:it also gives an xss warning when i search "window.name" in the search bar of firefox,
i got first when trying to understand what was this warnng i got on imdb,
and i'm guessing that if i would search for the other warning descriptions i'd get the same warning on google too.
sure, because no script scans for the way the code is executed, and therefor thinks that firefox is sending a request instead of a string.
It's a false positive I can honestly live with
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Hi guys.
I'm getting the same notifications.
When using search box on toolbar, NS says there's an XSS attempt "from [...] to www.google.com". The notification details suggest it's connected to window.name property.
My browser acts very weird since the update.
BTW: what's that code marked with red?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Guest wrote:it also gives an xss warning when i search "window.name" in the search bar of firefox.
I'm seeing this as well. It looks like any browser-bar search which includes "name" (e.g. "name of US ambassador to France") causes the Anti-XSS popup. This seems like a pretty aggressive default behavior.
Does anyone know if "Always allow document requests from [...] to https://duckduckgo.com" limits requests to "[System Principal]" or if it allows them from any unidentified source or any browser principal? Any thoughts on how risky it would be to do so?
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Using window.name is a very unsafe behavior, since any site that you visit in the same tab can freely access anything stored there. Though NoScript hasn't previously just outright flagged it before checking its contents.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.94 Chrome/62.0.3202.94 Safari/537.36
