XSS protection problem

[GeorgeT]

Hello,

I had the following problem yesterday, which I believe was caused by a combination of problems on the website and NoScript (so not one or the other alone).

I was trying to order furniture from IKEA, using my VISA debit card. When I entered my details, the "verified by VISA" thing came up; I think that's an iframe, I'm not sure.

What normally happens (with other websites) is that this does something for a few seconds then I'm redirected to another page in the website where it says my details have been confirmed and the order is placed.

What happened this time was that, after the verification, NoScript said it blocked an attempted XSS and the website showed an error. I tried to add ikea to the exceptions, using the following regular expression: ^https://.*ikea\.com/.*$

Again the same thing happened, so I tried it a few times, only to find out -in the end- that while my order never went through (so I'm not receiving anything), the money was taken from my account.

To make it clear, I'm not accusing NoScript for this loss (which I'm in contact with my bank to resolve), only trying to understand what I could do to prevent it in the future and whether anyone has had a problem like this. Is my regular expression wrong? Is it a different url I should have used in it?

[Giorgio Maone]

What you probably needed to do was just allowing all the intermediate sites for scripting, including the "Verified by Visa" proxy which we don't know from your report, with no regular expression exception involved.
That the money was taken from your account without you entering your "Verified by Visa" credentials is extremely weird: preventing unauthorized transaction is the whole point of the VbV program.

What would help diagnosing and, if possible, fixing this problem for the feature would be looking at your error console as soon as the XSS notification comes up and analyzing any "[NoScript XSS]" and/or "[Injection Checker]" message there.

[barbaz]

And possibly using NoRedirect set to block all redirects (remove all rules, then add a rule as follows:
Regex: .*
check only "Source") to get the URLs of the intermediate sites so that it's less likely the NoScript console message(s) will get pushed out and it's easier for you to make an XSS exception (see the sticky for how to do that; please post what worked for you).

[GeorgeT]

Thanks for the reply. I only thought about copying the information from the console after I had closed FF, by which time it was too late.

Regarding VbV, I had already entered my credentials at that point. The error was when VbV tried to tell IKEA that verification was successful, I think. VbV knew it was OK but IKEA didn't.

You said I should have allowed scripting from all sites. Would that have prevented the XSS thing? I thought they were separate. I did get a message saying "Javascript seems to be disabled, please click here" message before the mess happened, so I guess that would have prevented it. I tried to find which site needed to be allowed to avoid that but couldn't figure it out.

barbaz: I'll look at that extension, thanks for the suggestion.

[Giorgio Maone]

You said I should have allowed scripting from all sites. Would that have prevented the XSS thing? I thought they were separate.

The rules for requests from non-whitelisted to whitelisted websites are stricter.
Hence, if IKEA was whitelisted but the VbV processor was not, a XSS sanitization was more likely to happen.

[Thrawn]

This is the canonical use case for my suggested interactive mode.