InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Can't add XSS white name list or turn XSS off

https://forums.informaction.com/viewtopic.php?t=21624

Page 1 of 1

Can't add XSS white name list or turn XSS off

Posted: Thu Feb 18, 2016 11:01 am
by jc3213
I'm using Firefox 64bit, nightly 2016-02-17, Noscript 2.9.0.4, and e10s Off

http://mail.yeah.net/ won't show login form for me then I see the console
[NoScript] Blocking cross-site Javascript served from http://urscdn.nosdn.127.net/webzj_myeah ... 6020301.js with wrong type info text/plain, inline; filename="webzj_myeah%2Fmessage_2016020301.js" and included by http://mail.yeah.net/
I've tried to add the urls to XSS white list

Code: Select all

^https?://mail\.yeah\.net/.*$
^https?://[^\/]+127\.net/.*$
But nothing happens, that .js file will still be blocked, and no login form is shown.

I've then turn off "Santinize cross-site suspicious requests" and "Turn cross-site POST requests into data-less GET requests", but this won't help either, and even worse, I can't open "Option Window" from Noscript Toolbar Button. And in console I saw
NS_ERROR_NOT_INITIALIZED: noscript.js:53:0

Re: Can't add XSS white name list or turn XSS off

Posted: Thu Feb 18, 2016 11:46 pm
by Thrawn
This is not coming from the XSS filter. You should turn that back on.

It's the cross-site inclusion filter (aka Inclusion Type Checking). I and others have mentioned the confusion before.

Typically this error arises when a site is abusing something like Github or Google Code to load JavaScript that wasn't supposed to be directly included in the page. However, in this case, it looks like Yeah has simply misconfigured their CDN (it's reporting the wrong content type, 'text/plain'). You should probably report it to them; and in the meantime, you can work around it if you're comfortable editing settings in about:config

You would need to add:

Code: Select all

http://urscdn.nosdn.127.net/webzj_myeah/*
to noscript.inclusionTypeChecking.exceptions

Re: Can't add XSS white name list or turn XSS off

Posted: Fri Feb 26, 2016 12:57 am
by jc3213
Thrawn wrote:This is not coming from the XSS filter. You should turn that back on.

It's the cross-site inclusion filter (aka Inclusion Type Checking). I and others have mentioned the confusion before.

Typically this error arises when a site is abusing something like Github or Google Code to load JavaScript that wasn't supposed to be directly included in the page. However, in this case, it looks like Yeah has simply misconfigured their CDN (it's reporting the wrong content type, 'text/plain'). You should probably report it to them; and in the meantime, you can work around it if you're comfortable editing settings in about:config

You would need to add:

Code: Select all

http://urscdn.nosdn.127.net/webzj_myeah/*
to noscript.inclusionTypeChecking.exceptions
Oh, thanks for the tips!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited