Flickr and XSS
Posted: Thu Jul 02, 2009 6:13 pm
When I try to login to Flickr using my Yahoo username and password in Firefox with NoScript enabled, I get
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.flickr.com/signin/yahoo/?.da ... DOM_STRING] requested from [https://login.yahoo.com/config/validate ... 2Fyahoo%2F]. Sanitized URL: [http://www.flickr.com/signin/yahoo/?.da ... DOM_STRING
where I've substituted RANDOM_STRING and RANDOM_NUMBER in the above text where long random strings or numbers existed (to make this post shorter and because I'm paranoid and don't want to expose anything from my login attempt that I don't have to).
The above XSS sanitizing that NoScript does causes the login for Flickr to fail. I'm able to login using a different browser that isn't running NoScript (gasp!) just fine so I'm pretty sure this is an issue with NoScript.
Questions:
1) Do I need to worry about this or can I just make NoScript ignore this?
2) Is there a way to whitelist this XSS issue so that I don't have to jump through any hoops in the future?
Thanks!
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.flickr.com/signin/yahoo/?.da ... DOM_STRING] requested from [https://login.yahoo.com/config/validate ... 2Fyahoo%2F]. Sanitized URL: [http://www.flickr.com/signin/yahoo/?.da ... DOM_STRING
where I've substituted RANDOM_STRING and RANDOM_NUMBER in the above text where long random strings or numbers existed (to make this post shorter and because I'm paranoid and don't want to expose anything from my login attempt that I don't have to).
The above XSS sanitizing that NoScript does causes the login for Flickr to fail. I'm able to login using a different browser that isn't running NoScript (gasp!) just fine so I'm pretty sure this is an issue with NoScript.
Questions:
1) Do I need to worry about this or can I just make NoScript ignore this?
2) Is there a way to whitelist this XSS issue so that I don't have to jump through any hoops in the future?
Thanks!