InformAction Forums

Posted: **Mon May 19, 2014 4:37 pm**

Hello,
2.8.24 breaks the new gmx.com web interface due to XSS.
I wish there was a way to whitelist it, it keeps asking me for confirmation.

It can be tested even without an account, problem being on login.

Regards

Posted: **Mon May 19, 2014 6:44 pm**

URL to gmx?

What is the XSS message in Error Console?

Posted: **Mon May 19, 2014 7:12 pm**

therube wrote:URL to gmx?

https://www.gmx.com, as I said you can use fake login credentials
and this error will still show up.

therube wrote:What is the XSS message in Error Console?

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://login.gmx.com/login#.1559516-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.com%2Flogin] from [https://www.gmx.com/]: transformed into a download-only GET request.
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery.min.js:3
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:64
Blocked loading mixed active content "http://s.uicdn.com/gmx.com/current/min/lib-head-final.js"
Blocked loading mixed active content "http://s.uicdn.com/gmx.com/current/min/default-final.css"
Blocked loading mixed active content "http://s.uicdn.com/gmx.com/current/min/lib-body-end-final.js"
Loading mixed (insecure) display content on a secure page "http://s.uicdn.com/gmx.com/current/img/favicon.ico"

Posted: **Mon May 19, 2014 7:28 pm**

Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^@https://www.gmx.com/

Posted: **Mon May 19, 2014 7:32 pm**

Giorgio Maone wrote:Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:
Code: Select all
^@https://www.gmx.com/

Thanks, that did the trick.

Posted: **Tue May 20, 2014 1:09 am**

Guest wrote:
Giorgio Maone wrote:Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:
Code: Select all
^@https://www.gmx.com/
Thanks, that did the trick.

You can drop the exception and check latest development build 2.6.8.25rc1 instead, now, thanks.

Posted: **Tue May 20, 2014 7:40 am**

Giorgio Maone wrote:
Guest wrote:
Giorgio Maone wrote:Please try adding the following line to your NoScript Options|Advanced|XSS exceptions box:
Code: Select all
^@https://www.gmx.com/
Thanks, that did the trick.
You can drop the exception and check latest development build 2.6.8.25rc1 instead, now, thanks.

Works for https, but not http

Posted: **Tue May 20, 2014 8:51 am**

Luigi wrote: Works for https, but not http

NoScript Options|Advanced|HTTPS, force .gmx.com.

Posted: **Tue May 20, 2014 9:11 am**

^@https://www.gmx.com/
^@https://gmx.com/
^@https://s.uicdn.com
^@http://www.gmx.com/
^@http://gmx.com/
^@http://s.uicdn.com

Posted: **Tue May 20, 2014 9:38 am**

LeeB wrote:^@https://www.gmx.com/
^@https://gmx.com/
^@https://s.uicdn.com
^@http://www.gmx.com/
^@http://gmx.com/
^@http://s.uicdn.com

Oh well, then just

Code: Select all

^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/

Posted: **Tue May 20, 2014 10:47 am**

Thanks Giorgio, the dev build fixed the GMX login (https)

I thought I`d been hacked, phished or some other awful disaster when I first saw it.

Posted: **Tue May 20, 2014 11:08 am**

Giorgio Maone wrote:
LeeB wrote:^@https://www.gmx.com/
^@https://gmx.com/
^@https://s.uicdn.com
^@http://www.gmx.com/
^@http://gmx.com/
^@http://s.uicdn.com
Oh well, then just
Code: Select all
^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/

I'm confused. Do I have to ad that rule even on the devel preview?

Posted: **Tue May 20, 2014 11:34 am**

Luigi wrote:
Code: Select all
^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/
I'm confused. Do I have to ad that rule even on the devel preview?

Only if you still have got problems after forcing HTTPS on .gmx.com.

Posted: **Wed May 21, 2014 6:51 am**

Giorgio Maone wrote:
Luigi wrote:
Code: Select all
^@https?://(?:(?:www\.)?gmx|s\.uicdn)\.com/
I'm confused. Do I have to ad that rule even on the devel preview?
Only if you still have got problems after forcing HTTPS on .gmx.com.

I had to login twice every time, that line seems to have solved that.

Posted: **Wed May 21, 2014 10:28 am**

Included in NoScript 2.6.8.25.
The built-im implementation is slightly safer, thus please remove the hand-made exception.

InformAction Forums

New gmx web interface

New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface

Re: New gmx web interface