NoScript 2.6.9.34's XSS protection currently breaks OpenID login on stackexchange (and sister sites including stackoverflow.com).
I'm testing with a launchpad.net OpenID. The browser console shows several "[NoScript XSS] Sanitized suspicious request" messages, a yellow banner says "NoScript filtered a potential cross-site scripting (XSS) attempt from [https://gaming.stackexchange.com], and the launchpad OpenID endpoint produces a 404 error.
XSS false positive breaks OpenID on stackexchange sites
XSS false positive breaks OpenID on stackexchange sites
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS false positive breaks OpenID on stackexchange sites
Could you please PM or email me the exact [NoScript XSS] and [InjectionChecker] messages you get in the browser console?
Thanks!
Thanks!
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Re: XSS false positive breaks OpenID on stackexchange sites
Done.Giorgio Maone wrote:Could you please PM or email me the exact [NoScript XSS] and [InjectionChecker] messages you get in the browser console?
Thanks!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Re: XSS false positive breaks OpenID on stackexchange sites
FYI, I don't remember this being a problem when I logged in to stackexchange yesterday. Unless my memory is failing me, it's probably related to a new login system that they apparently patched today.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Re: XSS false positive breaks OpenID on stackexchange sites
Just to confirm that this is now repeating... unable to log in today, even using Unsafely Reload, without disabling: Options | Advanced | XSS | 'Sanitise...' and 'Turn Cross Site...'
When I've disabled these, I'm able to log in fine. I can pm you Console details... How much do you want?
When I've disabled these, I'm able to log in fine. I can pm you Console details... How much do you want?
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS false positive breaks OpenID on stackexchange sites
The full InjectionChecker and/or XSS mesages would be great, thanks.Jackalus wrote:I can pm you Console details... How much do you want?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS false positive breaks OpenID on stackexchange sites
Actually does latest development build 2.9.0.5rc3 still have this problem?
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS false positive breaks OpenID on stackexchange sites
Some stackexchange users have reported working around the problem by adding a regex like this to NoScript's Anti-XSS Protection Exceptions:
Code: Select all
^https://login\.launchpad\.net/\+[Oo][Pp][Ee][Nn][Ii][Dd]\?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: XSS false positive breaks OpenID on stackexchange sites
The just-released 2.9.0.5 still has this problem.barbaz wrote:Actually does latest development build 2.9.0.5rc3 still have this problem?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0