Page 1 of 1
Anti-XSS protection hates Dropbox
Posted: Wed Apr 10, 2013 10:40 pm
by RoestVrijStaal
Hello,
With which regex-rule do I whitelist Dropbox in the XSS-filter?
Because Anti-XSS protection prevents me to download files via the webinterface of Dropbox.
I tried
Code: Select all
^https?://[a-z0-9]+\.dropbox\.com.+$
as whitelist rule but NoScript didn't like to eat it. So I wonder which is the good one and if I'm the only lucky person who has this issue.
Thanks in advance,
RoestVrijStaal
Re: Anti-XSS protection hates Dropbox
Posted: Thu Apr 11, 2013 4:12 am
by access2godzilla
The regex:
Code: Select all
^https?://[a-z0-9]+\.dropbox\.com.+$
has some problems:
- A subdomain becomes compulsory due to the presence of [a-z0-9]+\.
- The end \.com.+$ allows too much. It will also allow an URL like [url=http://www.dropbox.com.foobar..phishing.domain.example.com/]http://www.dropbox.com.foobar..phishing.domain.example.com/[/url] (such phishing sites exist, have a look around Phishtank).
This should work:
^https?://([a-z0-9]+\.)?dropbox\.com/.*Code: Select all
^https?://([a-z0-9]+\.)*dropbox\.com/.*
Note: post was edited, see reason below.
Re: Anti-XSS protection hates Dropbox
Posted: Thu Apr 11, 2013 11:23 pm
by Thrawn
Actually, that rule will only allow a single subdomain, eg foo.dropbox.com. The question mark (after the brackets) should be an asterisk, to allow foo.bar.baz.dropbox.com.
Are you sure that you want to allow http (unencrypted) connections? I would drop the question mark after https.
You should also check whether Dropbox subdomains use other characters like hyphens, underscores, etc.
Re: Anti-XSS protection hates Dropbox
Posted: Fri Apr 12, 2013 8:58 am
by access2godzilla
Thrawn wrote:Actually, that rule will only allow a single subdomain, eg foo.dropbox.com. The question mark (after the brackets) should be an asterisk, to allow foo.bar.baz.dropbox.com.
Good point, edited previous post to reflect this.
Re: Anti-XSS protection hates Dropbox
Posted: Sat Apr 13, 2013 6:17 am
by Thrawn
By the way, are you sure that Dropbox is actually immune to xss attacks?
Re: Anti-XSS protection hates Dropbox
Posted: Mon Apr 22, 2013 9:48 pm
by RoestVrijStaal
My apologies for the late reply.
I updated the filter and dropbox webinterface works now.
Not sure what the true cause was that NoScript's Anti-XSS prevented me from working with dropbox.
As I read through the NoScript's changelog, I notice a lot of changes applied on the Anti-XSS component.
However it could be also an issue at dropbox's side which is fixed now.
Nevertheless, I prefer some usability and some security in a well balance, so I'll keep dropbox whitelisted.
Cloud storage was never meant to store sensitive data since there is a conflicting (privacy) laws of various countries (oh hello Patriot Act).
So in case when my dropbox account is hacked, so be it.
Re: Anti-XSS protection hates Dropbox
Posted: Mon Apr 22, 2013 9:51 pm
by RoestVrijStaal
Also thank you all for the help
