InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Weather site blocked even when NS is turned off

https://forums.informaction.com/viewtopic.php?t=20106

Page 1 of 1

Weather site blocked even when NS is turned off

Posted: Wed Sep 24, 2014 3:51 am
by Thurston S Howell
This site's doppler radar (image, animated, etc) won't display even when NoScript is set to globally allow scripts:

http://baynews9.com/content/news/baynew ... radar.html

If I disable the Firefox plugin, it works fine. I don't know what to modify in the settings to allow this one site as whitelisting it did not correct the problem.

Thank you for listening.

T.H.

Re: Weather site blocked even when NS is turned off

Posted: Wed Sep 24, 2014 5:04 am
by therube
Using a hammer, setting noscript.xss.checkInclusions (about:config) to false gets it working.

So I guess an exception is in order.
(I'll leave that to others.)

Adding s3.amazonaws.com/ to noscript.xss.checkInclusions.exceptions works, but (maybe) that is again too broad? (Ball-peen instead of a mallet.)

Code: Select all

Blocking reflected script inclusion origin XSS from http://baynews9.com/content/news/baynews9/weather/klystron-9-radar.html: https://s3.amazonaws.com/static.baron.web.apps/digitial_wx/widgets/dcms/be2ed1b3-58c4-4742-a921-fd8a5084afa6/live/init.js
embedded by
http://s3.amazonaws.com/static.baron.web.apps/digitial_wx/pages/n2.adaptive/map/index.html?initjson=https://s3.amazonaws.com/static.baron.web.apps/digitial_wx/widgets/dcms/be2ed1b3-58c4-4742-a921-fd8a5084afa6/live/init.js&initjsonvar=initdata

Re: Weather site blocked even when NS is turned off

Posted: Mon Sep 29, 2014 8:33 pm
by Thurston S Howell
How did you perform that analysis to determine the source of the problem script?

Re: Weather site blocked even when NS is turned off

Posted: Mon Sep 29, 2014 9:12 pm
by barbaz
The message in the code block shows up in the Browser Console (Ctrl-Shift-J); from there you just have to know what the message means, and whether it's an actual threat or just a false positive / bad site design, and what to do in each case
In this case, since you didn't know what the message meant, probably it was best to ask for help here. That's what I would have done in your place after finding that any XSS exceptions added in the GUI had no effect on this.

Re: Weather site blocked even when NS is turned off

Posted: Tue Sep 30, 2014 4:26 am
by Thrawn
The number-one question in my mind is: does this poor site design mean that the site is actually vulnerable to XSS?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited