Page 1 of 1
noscript xss issues with bookmarklets
Posted: Mon Feb 22, 2016 12:07 pm
by pinboarder
Hello,
I have 2 bookmarklets from pinboard (
here - popup and popump with tags.in that I am having problems using with noscript.
If I use noscript with script blocking enabled the bookmarklets works
If I disable noscript script blocking but keep other protections the bookmarklets do not work until I either disable XSS protections or reset noscript to defaults.
is there a way to work around this so I can use the bookmarklets and noscript with script blocking disabled?
Re: noscript xss issues with bookmarklets
Posted: Mon Feb 22, 2016 11:09 pm
by Thrawn
pinboarder wrote:
If I disable noscript script blocking
What do you mean by this? "Scripts Globally Allowed"? There isn't a checkbox to switch off script-blocking.
Re: noscript xss issues with bookmarklets
Posted: Tue Feb 23, 2016 12:45 am
by therube
What happens if you only Allow pinboard.in ?
Or both pinboard.in & the domain you run the bookmarklet from?
Guessing that is what is needed?
Re: noscript xss issues with bookmarklets
Posted: Tue Feb 23, 2016 1:09 am
by barbaz
Thrawn wrote:pinboarder wrote:
If I disable noscript script blocking
What do you mean by this? "Scripts Globally Allowed"? There isn't a checkbox to switch off script-blocking.
I'm guessing yes, that they disabled NoScript from the Add-ons Manager and instead of confirming at NoScript's warning, selected the "No, just stop blocking scripts" option.
Re: noscript xss issues with bookmarklets
Posted: Tue Feb 23, 2016 2:41 pm
by pinboarder
barbaz wrote:Thrawn wrote:pinboarder wrote:
If I disable noscript script blocking
What do you mean by this? "Scripts Globally Allowed"? There isn't a checkbox to switch off script-blocking.
I'm guessing yes, that they disabled NoScript from the Add-ons Manager and instead of confirming at NoScript's warning, selected the "No, just stop blocking scripts" option.
therube wrote:What happens if you only Allow pinboard.in ?
Or both pinboard.in & the domain you run the bookmarklet from?
Guessing that is what is needed?
Barbaz: yes this is what I meant sorry if not clear.
Re: noscript xss issues with bookmarklets
Posted: Tue Feb 23, 2016 2:44 pm
by pinboarder
therube wrote:What happens if you only Allow pinboard.in ?
Or both pinboard.in & the domain you run the bookmarklet from?
Guessing that is what is needed?
Pinboard.in is whitelisted already. I have tried whitelisting a page and testing a bookmarklet but it still does not work. It would not be a great solution though if it did as the idea of pinboard is it is an online bookmark service so i could be bookmarking for any site on internet
Re: noscript xss issues with bookmarklets
Posted: Tue Feb 23, 2016 3:35 pm
by therube
"No, just stop blocking scripts"
Is that the same as 'Allow Script Globally'?
What is "popup" supposed to do?
With scripts Allow Globally, popup bookmarklet pops up a window asking me to login.
(It may have been that after first "No, just stop blocking scripts", that at that point, the popup did not work ? not sure, but there was one point in time when it did not. Possible that either a new window or browser restart was required?)
until I either disable XSS protections or reset noscript to defaults.
If you Reset NoScript, then XSS is enabled, so I'm not quite following?
You've tested with a new, clean Profile?
Only change is to install NoScript, then set "No, just stop blocking scripts".
Re: noscript xss issues with bookmarklets
Posted: Wed Feb 24, 2016 2:17 pm
by pinboarder
therube wrote:"No, just stop blocking scripts"
Is that the same as 'Allow Script Globally'?
Yes as far as I can tell
therube wrote:
What is "popup" supposed to do?
popup = opens a window, adds a bookmark of the current page to my pinboard.in account, closes window. No user action needed for this
popup with tags = opens a window as above but stays open until you add tags for the bookmark and save
With scripts Allow Globally, popup bookmarklet pops up a window asking me to login.
therube wrote:
(It may have been that after first "No, just stop blocking scripts", that at that point, the popup did not work ? not sure, but there was one point in time when it did not. Possible that either a new window or browser restart was required?)
Yes this does seem to be the case, some times even a few times it will work before breaking again.
therube wrote:
until I either disable XSS protections or reset noscript to defaults.
If you Reset NoScript, then XSS is enabled, so I'm not quite following?
The problem with the bookmarklet can be resolved by either
1. disabling XSS protection when "Allow Scripts Globally" is set
2. resetting noscript to defaults; which enables XSS protection and Blocks Scripts (I need to whitelist pinboard.in after reset)
therube wrote:
You've tested with a new, clean Profile?
Only change is to install NoScript, then set "No, just stop blocking scripts".
Yes, I've tried this, always one I allow scripts globally it will shortly fail and stay broken until either xss protection is turned off or script blocking is turned back on (with
Re: noscript xss issues with bookmarklets
Posted: Wed Feb 24, 2016 5:19 pm
by barbaz
XSS protection should log InjectionChecker and/or XSS messages.
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
Re: noscript xss issues with bookmarklets
Posted: Wed Jun 15, 2016 8:02 pm
by pinboarder
Error I get in console CSS
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-eval' *").
Re: noscript xss issues with bookmarklets
Posted: Wed Jun 15, 2016 8:04 pm
by pinboarder
I should say that there are no other errors in the console. just that