InformAction Forums

Rather than whitelisting and blacklisting sites, I allow scripts globally and use NoScript primarily for the XSS, Clear Click and ABE protections.

Occasionally I will load a website and instead of adverts, I will see a load of HTML source without the opening < on each tag. I've gone through the various tick boxes in NoScript, and cannot make those particular adverts show up correctly unless I disable NoScript outright.

Now, I am assuming that these adverts are being modified by NoScript due to some security reason, but I am interested to know what that reason would be.

Here are a couple of examples of the same webpage. One shows NoScript in 'Allow Scripts Globally' mode, the other shows NoScript uninstalled.

NoScript uninstalled show Adverts on the Telegraph website

http://theten.co.uk/noscript-uninstalled.png

NoScript installed, but in allow all mode, converts adverts to html code

http://theten.co.uk/noscript-allowscriptsglobally.png

So why does this happen? What is being blocked?

viewtopic.php?f=7&t=20358
viewtopic.php?f=7&t=20670

barbaz wrote:viewtopic.php?f=7&t=20358
viewtopic.php?f=7&t=20670

Sorry, I'm still confused as those links don't answer the question. Both those threads report the same behaviour, but neither explains why NoScript is actually blocking the adverts, which is what I'm asking.

01i wrote:but neither explains why NoScript is actually blocking the adverts

Sure they do. Did you actually read the whole threads (particularly the second)?
Feel free to ask for clarification afterwards.

Oh, so it seemingly would be XSS related.
I've seen that around, but never bothered with why it might or might not be there.


(I've probably mentioned elsewhere, but IMO, XSS related stuff ought to be more easily determinable.)

Those threads make sense, but they don't really explain what's going on, what I can really make from them is that you think that http://tpc.googlesyndication.com is vulnerable to XSS and should be added to ABE with a deny rule. If I do that, then the google ads that were being converted to html, just get converted to a white space and an ABE error message instead.

Nothing has really been "fixed".

http://tpc.googlesyndication.com is a domain owned and hosted by google, and is a part of the google advertising system, used for serving certain types of rich ads, or tracked ads. Also, by blocking this domain, all google ads served through it are blocked, rather than just adverts that NoScript converts to code. I have also learned that these ads typically have a high click-through rate, so blocking them is a dis-service to the website owner

While typing this I've done a bit of research, and this webpage explains what is going on.

http://www.iab.net/safeframe/safeframe_infographic

Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.

01i wrote:Nothing has really been "fixed".

Well, the *real* fix is for the ads to not use/rely on inherently unsafe practices.

01i wrote:Having read this webpage, I believe that NoScript users should have the choice about whether they wish to trust safe frames or not, rather than having them blocked automatically.

You've already got the choice, but I do NOT recommend choosing to allow that because what it's doing is NOT safe. I'm also not completely sure how, but since you REALLY seem to want to do this.. see what this does?
NoScript Options > Advanced > XSS, add to Anti-XSS Protection Exceptions Again, this is NOT RECOMMENDED and potentially DANGEROUS.

The actual answer to "why does the HTML code appear?" is that it's probably a side effect of the way NoScript blocks the XSS vulnerability. NoScript alters the request to neutralise the suspicious payload, and the page is very unwisely dumping the result into its own code, so it makes sense that what was supposed to be markup (controllable by any other site!) becomes non-markup.