Can't add XSS white name list or turn XSS off

Ask for help about NoScript, no registration needed to post
Post Reply
jc3213
Posts: 4
Joined: Tue Mar 24, 2015 5:29 am

Can't add XSS white name list or turn XSS off

Post by jc3213 »

I'm using Firefox 64bit, nightly 2016-02-17, Noscript 2.9.0.4, and e10s Off

http://mail.yeah.net/ won't show login form for me then I see the console
[NoScript] Blocking cross-site Javascript served from http://urscdn.nosdn.127.net/webzj_myeah ... 6020301.js with wrong type info text/plain, inline; filename="webzj_myeah%2Fmessage_2016020301.js" and included by http://mail.yeah.net/
I've tried to add the urls to XSS white list

Code: Select all

^https?://mail\.yeah\.net/.*$
^https?://[^\/]+127\.net/.*$
But nothing happens, that .js file will still be blocked, and no login form is shown.

I've then turn off "Santinize cross-site suspicious requests" and "Turn cross-site POST requests into data-less GET requests", but this won't help either, and even worse, I can't open "Option Window" from Noscript Toolbar Button. And in console I saw
NS_ERROR_NOT_INITIALIZED: noscript.js:53:0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Top
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:
Contact Thrawn

Re: Can't add XSS white name list or turn XSS off

Post by Thrawn »

This is not coming from the XSS filter. You should turn that back on.

It's the cross-site inclusion filter (aka Inclusion Type Checking). I and others have mentioned the confusion before.

Typically this error arises when a site is abusing something like Github or Google Code to load JavaScript that wasn't supposed to be directly included in the page. However, in this case, it looks like Yeah has simply misconfigured their CDN (it's reporting the wrong content type, 'text/plain'). You should probably report it to them; and in the meantime, you can work around it if you're comfortable editing settings in about:config

You would need to add:

Code: Select all

http://urscdn.nosdn.127.net/webzj_myeah/*
to noscript.inclusionTypeChecking.exceptions
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Top
jc3213
Posts: 4
Joined: Tue Mar 24, 2015 5:29 am

Re: Can't add XSS white name list or turn XSS off

Post by jc3213 »

Thrawn wrote:This is not coming from the XSS filter. You should turn that back on.

It's the cross-site inclusion filter (aka Inclusion Type Checking). I and others have mentioned the confusion before.

Typically this error arises when a site is abusing something like Github or Google Code to load JavaScript that wasn't supposed to be directly included in the page. However, in this case, it looks like Yeah has simply misconfigured their CDN (it's reporting the wrong content type, 'text/plain'). You should probably report it to them; and in the meantime, you can work around it if you're comfortable editing settings in about:config

You would need to add:

Code: Select all

http://urscdn.nosdn.127.net/webzj_myeah/*
to noscript.inclusionTypeChecking.exceptions
Oh, thanks for the tips!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Top
Post Reply

Return to “NoScript Support”