Page 1 of 1
How can I bypass NoScript XSS in my Firefox Addon?
Posted: Thu Jul 31, 2014 5:49 pm
by erosman
Hi
In an addon I am working on, I need to insert a form and send the POST data to another site.
When I try that from a local file (file:///C:/....) there are no issues.
When I try it form an internet site, I get :
[NoScript XSS] Sanitized suspicious upload to [http://.....] from [http://.....]: transformed into a download-only GET request.
The POST data is a long string such as: (plus headers)
Code: Select all
iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==
Since it is for an addon, there is not point in changing any preferences.
How can the addon send POST data without running into above blockage?
If you need more info, you can find me at irc://moznet/#amo-editors
Thank you
Re: Bypass NoScript XSS in Firefox Addon
Posted: Thu Jul 31, 2014 7:38 pm
by Giorgio Maone
If you use the
privileged version of XMLHttpRequest to send the data collected by the form, your HTTP request won't be checked.
Re: How can I bypass NoScript XSS in my Firefox Addon?
Posted: Fri Aug 01, 2014 12:03 pm
by erosman
Thanks Giorgio
Sadly, I have not been able to do what I need using privileged version of
XHR therefore, at the moment, I
createElement('form'), insert it in the dome and
form.submit() (and remove the form)
As I said, when I run it on a local document, there is no error from
NoSCript.
If I run it on an internet web page, I get the
NoSCript warning.
The method is similar to the method used by
Search By Image (by Google) which also has the same issue with
NoScript when POSTing data from a web page to Google Search page.
I couldn't pass the
FormData to
postData in
loadOneTab otherwise that would have been my favourite option
Any suggestions?
Re: How can I bypass NoScript XSS in my Firefox Addon?
Posted: Fri Aug 01, 2014 4:14 pm
by barbaz
What if you create a dummy document with
Code: Select all
Components.Constructor("@mozilla.org/xml/xml-document;1")
exclusively for your addon's use? Does that work? (I haven't tried for something like this, but it works well for other purpose.)
Re: How can I bypass NoScript XSS in my Firefox Addon?
Posted: Fri Aug 01, 2014 6:12 pm
by erosman
Thanks barbaz
I am actually working on creating a stream to pass to postData in loadOneTab (many steps as there isn't a direct root)
I have just finished writing it... I have to do more testing.
Re: How can I bypass NoScript XSS in my Firefox Addon?
Posted: Fri Aug 01, 2014 9:27 pm
by Giorgio Maone
If you can't find another way, adding a line to the "noscript.filterXExceptions" preference and removing it just after the submit() call (the filter check is synchronous) should be quite simple and work.
Re: How can I bypass NoScript XSS in my Firefox Addon?
Posted: Sun Aug 03, 2014 7:06 am
by erosman
Thanks Giorgio
I will bear that in mind
I have manged (with some ideas from Nils Maier) to pass the data the postData in loadOneTab (so little documentation on this subject)
That makes life easier and no problem with XSS.
Thanks for the help