Page 1 of 1
[RESOLVED] basecamphq.com xfer to 123.writeboard.com blocked
Posted: Wed Jan 07, 2015 5:10 am
by jwalling
NoScript 2.6.9.10rc2
Browser is FireFox on Ubuntu
With NoScript enabled, I am unable to connect from
accountname.basecamphq.com to 123.writeboard.com
when I click on a Writeboards document link in Basecamphq.
I tried whitelisting both urls but I get stopped by a XSS warning and a password challenge.
How can I figure out what to whitelist if it is not obvious?
The error console messages are overwhelming - I see nothing obvious to help with a whitelist.
If I disable NoScript, I am able to make the Writeboard connection w/o delay.
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Wed Jan 07, 2015 5:23 am
by barbaz
jwalling wrote:How can I figure out what to whitelist if it is not obvious?
The error console messages are overwhelming - I see nothing obvious to help with a whitelist.
NoScript related messages sometimes go by REALLY fast in the Error Console due to tremendous numbers of CSS warnings so you may need to run a video capture of it with the Messages tab open
while the XSS warning is triggering then attempt to type the results here afterwards...
(InjectionChecker messages can have a horribly long regexp after the word 'matches' which you can skip typing that if you want
)
Also XSS whitelists are regular expressions that get manually typed in @ NoScript Options > Advanced > XSS - so it's completely separate from normal whitelisting
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Wed Jan 07, 2015 6:32 am
by jwalling
I posted NoScript console messages here
https://titanpad.com/FvH1xv6Qw4
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Wed Jan 07, 2015 10:16 pm
by Giorgio Maone
You can work around by adding this line to your
NoScript Options|Advanced|XSS|Exceptions box:
Code: Select all
^https://\d+\.writeboard\.com/\w+/login$
[EDIT]: fixed the regular expression typo
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Thu Jan 08, 2015 4:09 am
by jwalling
When I added to the XSS Exception box
Code: Select all
^https://\d+\.writeboard\.com/\b+/login$
or added
Code: Select all
^https?://\d+\.writeboard\.com/\b+/login$
All the other entries in the Exception box turned
RED
These are the other entries
Code: Select all
^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
I assume
RED means there is a problem
Nb: When I duplicated the last entry, it did not cause the other entries to turn RED.
Am I missing or misinterpreting something?
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Thu Jan 08, 2015 4:30 am
by barbaz
jwalling wrote:I assume RED means there is a problem
RED means there's an invalid regex in XSS Exceptions
In this case, it's likely because
is not valid regular expression syntax...
Try replacing '\b+' with
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Thu Jan 08, 2015 5:31 am
by jwalling
Success!
basecamphq.com xfer to 123.writeboard.com worked
by adding this RegEx to XSS exceptions:
Code: Select all
^https?://\d+\.writeboard\.com/[0-9A-Za-z]+/login$
Thanks for quick responses.
Re: basecamphq.com xfer to 123.writeboard.com blocked
Posted: Thu Jan 08, 2015 11:22 am
by Giorgio Maone
barbaz wrote:
is not valid regular expression syntax...
I meant
\w+, sorry for the typo
