[FIXED] Constant XSS Warnings

[fmiab]

When I open a new tab in Firefox and type a website into the address bar, there is a ~1/3 chance I'm presented with the following XSS error:

NoScript XSS Warning

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://SomeSiteIWantToGoTo.com.

Suspicious data:

TypeError: ic is undefined,(URL) https://SomeSiteIWantToGoTo.com/

Closing the warning (for the zillionth time, give or take) and retyping the website in the address always works just fine. This behavior never appeared prior to Firefox 57. Is this some misconfiguration on my end? Aside from disabling Anti-XSS protection, how can this behavior be fixed?

[barbaz]

I think this warning might be a NoScript bug, but I'm not 100% sure.

Can you please post an example of this warning with the URL included as-is?

[345g345g345gq]

Had the same thing this morning when I first started Firefox up- can't seem to reproduce now even with the same sites.

[fmiab]

Here is an example of the warning after typing gmail.com into the address bar. When the warning appears, it always presents the same exact message, with only the URL changing.

[barbaz]

Another example of this same warning - https://forums.informaction.com/viewtop ... 596#p95596

I notice that so far these URLs all have a path of "/", no query string, and no hash. Could it be significant?

[fmiab]

Just now I’ve repeatedly opened a new blank Firefox window, entered a website into the address bar, and had the error occur as follows (the following numbers are estimates):

number of XSS errors/number of attempts to access page : PageBeingAccessed.com
3/10 : www.google.com
3 /10 : www.gmail.com
7/10 : gmail.com (five of the errors were displayed consecutively!!)
0/20 : https://accounts.google.com/signin/v2/identifier?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin
0/10 : https://en.wikipedia.org/wiki/Noscript#Anti-XSS_protection

Two notes:

1. The 'accounts.google.com/etc...' URL is what gmail.com redirects me to. After pasting the full URL into the address bar about 20 times, I still haven’t encountered the error, even though both gmail.com and www.gmail.com are prone to the error. The Wikipedia URL also never caused the error. Maybe paths, queries, and hashes are significant as you suggested? It's a pretty small sample size, so I'm not sure.

2. I did the above tests by opening a new blank window, but the error also occurs in new tabs.

[atscomms]

Last night I posted a similar occurrence - "Need Help with XSS Warning" I copied the screen
https://forums.informaction.com/viewtop ... =7&t=24494

[barbaz]

@atscomms Remember to log in before posting so that you don't have to solve the CAPTCHA every time. (I've fixed your post here)

[beerconnctn_enabled]

I too had a "phantom XSS warning" request yesterday morning after I reset ("refreshed") firefox settings and re-installed all my plugins. I blocked it and even looked at the script in debugger and couldn't see anything suspicious, though I'm hardly an expert. My home page is the Linux Mint default homepage (or was). This page is loosely connected to Google, as the Google search bar is there. I am assuming NoScript heard Google trying to nose in on my homepage and picked that up as XSS. Am I wrong?

Sidenote: Kind of strange, since they don't offer Google search engine as an option on their repository firefox install for funding reasons.

[daniel4859]

Hello. I wanted to create a thread (title: "NoScript v10 XSS Warning: TypeError: ic is undefined,(URL)) about this issue, but I found this one. So, a couple of days ago, Firefox has been updated to v58.0 version. And now, after first Firefox start and typing - for example - youtube.com in address bar, next press ENTER button, there is a NoScript XSS Warning:

Code: Select all

NoScript XSS Warning

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://youtube.com.

Suspicious data:
TypeError: ic is undefined,(URL) https://youtube.com/

              Block this request
              Always block document requests from [...] to https://youtube.com
              Allow this request
              Always allow document requests from [...] to https://youtube.com

I did not choose any of the above option, I just closed the window and type youtube.com once again. And everything works OK - the second time. (NOTE: this issue also applies to the other websites.) It's pretty strange, because youtube.com is marked as a TRUSTED (with script, fetch and other caps.) website in NoScript settings etc.

Code: Select all

"sites": {
    "trusted": [
      "§:youtube.com",
      "https://www.youtube.com"
    ],

Above we can see a part of the NoScript settings, policy for a trusted websites (Settings >> Debug/Policy window). Anyway, here are some technical informations:

✗ Platform: Linux, i386/x86
✗ Firefox version: v58.0
✗ NoScript version: 10.1.6.3

Thanks, regards.

[Giorgio Maone]

Some or all of these issues (those with the "TypeError: ic is undefined" message) should be fixed in latest development build:
v 10.1.6.4rc5
=============================================================
x Fixed race condition on XSS filter first load

Please let me know.

[fmiab]

The new development build entirely fixes the issue for me. Thanks Giorgio!

[daniel4859]

Hello. Mr Maone, you have written, that "Some or all of these issues (those with the "TypeError: ic is undefined" message) should be fixed...", right? However, I would like to write about one more type of such a warning. It's about google.com website and detected a potential Cross-Site Scripting Attack. Lets see:

Code: Select all

NoScript XSS Warning

NoScript detected a potential Cross-Site Scripting attack
from [...] to https://google.com.
Suspicious data:
window.name

                 (o) Sanitize this request
                 ( ) Always block document requests from [...] to https://google.com
                 ( ) Allow this request
                 ( ) Always allow document requests from [...] to https://google.com

As we can see, above popup warning is different from those mentioned earlier in this thread etc. In this case suspicious data is: window.name (not 'TypeError: ic is undefined') and there is an option to Sanitize this request (instead of 'Block this request') etc.

I wanted to create a new thread, but I decided to write about this here.

Thanks.

[daniel4859]

Hello. I'm sorry for writing post by post, but I forgot to mention about something important in my previous post. In his post, Mr Maone have written, that "Some or all of these issues (those with the "TypeError: ic is undefined" message) should be fixed in latest development build". And it seems to be fixed (according to fmiab post).

However, a couple of weeks ago, I've had a situation with NoScript XSS Warning. One with Suspicious data ('TypeError: ic is undefined,(URL)', which is now fixed) and second with a different data, which is: window.name. As we can see in my post above, everything is different from warnings mentioned by other users in this thread. (There is, for example, an option to Sanitize this request instead of Block this request etc.)

So, I would like to ask Mr Maone if window.name issue is also fixed in latest Development version? I'm asking, because I can not do an update to the latest v10.1.6.4rc5 version.

Thanks. Sorry; I should ask about it in my previous post :- (

[vincentadultman]

We are also having this reported on qubes-os.org, have just reproduced it myself with Noscript 10.1.6.4

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://www.qubes-os.org.

Suspicious data:

window.name