Page 1 of 1
False positive in the new firefox persona sign in
Posted: Tue Jan 21, 2014 1:13 pm
by Rika Pi
Hello,
I am a new user of NoScript so I apologize on my general newbines,
But I would like to report that NoScript has a false positive on its XSS Blocking in webmaker.org and beta.openbages.org
When I tried to log in using persona NoScript Blocked me on the grounds of suspected XSS.
I hope that some one may help me on this.
like how can I put an exception for it?
Thanks in advanced
Re: False positive in the new firefox persona sign in
Posted: Tue Jan 21, 2014 1:48 pm
by barbaz
read messages in the browser console (ctrl-shift-j) and see
http://forums.informaction.com/viewtopi ... =7&t=17774 for how to make exception
if you can't figure it out, post here the related console messages
Re: False positive in the new firefox persona sign in
Posted: Tue Jan 21, 2014 2:19 pm
by Giorgio Maone
I couldn't reproduce on either website.
Please look for any "[NoScript..." message in your browser console (ctrl+shift+J) and report back here, thank you.
Re: False positive in the new firefox persona sign in
Posted: Tue Jan 21, 2014 4:13 pm
by Rika Pi
what i got from my browser console. Also did not appear this time. So I guess it's fixed? I clicked ignore a bunch of times...
GET
https://gmail.login.persona.org/provision [HTTP/1.1 200 OK 1659ms]
Security Error: Content at
https://gmail.login.persona.org/ may not load data from
https://login.persona.org/sign_in.
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead. provision
This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.
Re: False positive in the new firefox persona sign in
Posted: Tue Jan 21, 2014 5:01 pm
by Giorgio Maone
Rika Pi wrote:what i got from my browser console. Also did not appear this time. So I guess it's fixed? I clicked ignore a bunch of times...
GET
https://gmail.login.persona.org/provision [HTTP/1.1 200 OK 1659ms]
Security Error: Content at
https://gmail.login.persona.org/ may not load data from
https://login.persona.org/sign_in.
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead. provision
This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.
Those messages are not from NoScript, but from Firefox itself.
Looks like they've got a semi-obsolete CSP configuration and the browser complains about it.
Re: False positive in the new firefox persona sign in
Posted: Wed Jan 22, 2014 10:28 am
by Rika Pi
Well I guess I have no more problem sorry to disturb you all.