InformAction Forums

Hello,

I am using NoScript 2.6.8.13 with Firefox 26.0.

Have you ever considered allowing a configuration option for NoScript that would cause it to not block or trigger on well formatted and schema compliant SAML2 HTTP POST binding messages being transmitted from one site (a SAML2 identity provider or IdP) to a second site (a SAML2 service provider or SP)?

Right now the communication by HTTP POST binding of the SAML2 XML assertion from IdP to SP is being flagged as an XSS exploit. For example:

[NoScript XSS] Sanitized suspicious upload to
[https://service.site01.com/Shibboleth.sso/SAML2/POST]
from
[https://login.site02.com/idp/profile/SAML2/Redirect/SSO]:
transformed into a download-only GET request.

While I could whitelist those sites, since the SAML2 federation within which I operate is large with more than 300 IdPs or login providers and more than 1000 SPs or sites it is awkward to continually have to whitelist (and ask my users to do so).

Since a schema compliant SAML2 XML payload is straightforward to detect perhaps NoScript could not trigger on these types of single sign-on (SSO) flows?

Probably a good idea. Could you provide more details about how the payload would look like (for instance, has it a application/xml content type, rather than the normal formdata pseudo type)?

I have tried posting some details but it continues to be blocked by your SPAM filter.

Is there another way I may communicate some details to you?

Thank you for your time and consideration.

skoranda wrote:I have tried posting some details but it continues to be blocked by your SPAM filter.

Is there another way I may communicate some details to you?

Thank you for your time and consideration.

Either private message or email

I sent an email. Thank you. Feel free to post its contents into the forum if you like.