Where is the XSS Exceptions form?

Bug reports and enhancement requests
Post Reply
ahardy42
Posts: 13
Joined: Tue Oct 04, 2016 2:07 pm

Where is the XSS Exceptions form?

Post by ahardy42 »

I'm trying to enter an XSS exception for a site where NoScript seems to be blocking successful logins, but I can't find the exceptions page or form in the NoScript options.

When I click Settings -> Advanced Tab,all I see is a greyed area with the tabs on top, then a check-box saying "Sanitize cross-site suspicious requests" with a button "Clear XSS Choices" which I haven't clicked.

Then under that is a line, and another greyed area with a check-box saying "Debug".

Shouldn't there be a field here for me to enter my exceptions?

I know I've already entered on exception myself a year or so ago.

I'm using FF 59.0.2 with NoScript 10.1.7.5.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Where is the XSS Exceptions form?

Post by barbaz »

Moving to NoScript Development because I don't think there is a XSS Exceptions form yet.
*Always* check the changelogs BEFORE updating that important software!
-
ahardy42
Posts: 13
Joined: Tue Oct 04, 2016 2:07 pm

Re: Where is the XSS Exceptions form?

Post by ahardy42 »

Oh, I see - there used to be one before the big upgrade - I remember entering a regular expression for my bank's URL to stop NoScript killing the XSS-style stuff it was doing.

I assume that setting is still in the config somewhere since my banking website still works - or maybe not. Is there a setting I can set manually then?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Where is the XSS Exceptions form?

Post by barbaz »

As a workaround, you can export your NS settings, edit the XSS exceptions manually, then import the modified config back.
*Always* check the changelogs BEFORE updating that important software!
-
ahardy42
Posts: 13
Joined: Tue Oct 04, 2016 2:07 pm

Re: Where is the XSS Exceptions form?

Post by ahardy42 »

OK, I'll give that a try.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
ahardy42
Posts: 13
Joined: Tue Oct 04, 2016 2:07 pm

Re: Where is the XSS Exceptions form?

Post by ahardy42 »

I checked in my prefs.js and I couldn't find any reference to my bank website which NoScript had disabled last year.

I have the XSS checkbox checked, so I'm not sure what NoScript is doing.

I also discovered that actually NoScript is not blocking the website I'm having problems with - it is in fact the TreeTabs add-in, bizarrely.

While I'm here though, what does NoScript do with XSS? Is it done on each suspected XSS request? I see a few of those and I can allow or forbid them individually. Has that replaced the list form of regex patterns of earlier versions?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Where is the XSS Exceptions form?

Post by barbaz »

ahardy42 wrote:what does NoScript do with XSS?
NoScript 10 just blocks the request containing the XSS attempt - https://hackademix.net/2017/12/01/noscr ... ment-39541
ahardy42 wrote:Is it done on each suspected XSS request?
I think you should be prompted unless you have a "Always allow" or "Always block" rule.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply