XSS false positive breaks OpenID on stackexchange sites

[forest]

NoScript 2.6.9.34's XSS protection currently breaks OpenID login on stackexchange (and sister sites including stackoverflow.com).

I'm testing with a launchpad.net OpenID. The browser console shows several "[NoScript XSS] Sanitized suspicious request" messages, a yellow banner says "NoScript filtered a potential cross-site scripting (XSS) attempt from [https://gaming.stackexchange.com], and the launchpad OpenID endpoint produces a 404 error.

[Giorgio Maone]

Could you please PM or email me the exact [NoScript XSS] and [InjectionChecker] messages you get in the browser console?
Thanks!

[forest]

Could you please PM or email me the exact [NoScript XSS] and [InjectionChecker] messages you get in the browser console?
Thanks!

Done.

[forest]

FYI, I don't remember this being a problem when I logged in to stackexchange yesterday. Unless my memory is failing me, it's probably related to a new login system that they apparently patched today.

[Jackalus]

Just to confirm that this is now repeating... unable to log in today, even using Unsafely Reload, without disabling: Options | Advanced | XSS | 'Sanitise...' and 'Turn Cross Site...'

When I've disabled these, I'm able to log in fine. I can pm you Console details... How much do you want?

[barbaz]

I can pm you Console details... How much do you want?

The full InjectionChecker and/or XSS mesages would be great, thanks.

[barbaz]

Actually does latest development build 2.9.0.5rc3 still have this problem?

[foresto]

Some stackexchange users have reported working around the problem by adding a regex like this to NoScript's Anti-XSS Protection Exceptions:

Code: Select all

^https://login\.launchpad\.net/\+[Oo][Pp][Ee][Nn][Ii][Dd]\?

[forest]

Actually does latest development build 2.9.0.5rc3 still have this problem?

The just-released 2.9.0.5 still has this problem.