Page 1 of 2
XSS & Marketwatch site
Posted: Thu Mar 24, 2016 3:07 am
by Jojo999
I ALWAYS get XSS warnings when I view the Marketwatch website. Like this:
https://drive.google.com/file/d/0B3aloI ... sp=sharing
Unsafe reload doesn't work because the problem keeps reappearing. X'ing them doesn't work because they keep reappearing.
Here are the errors I copied from the console. Can you tell me how to fix this permanently so I don't get these errors on the website any longer?
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
----------
[NoScript XSS] Sanitized suspicious request. Original URL [
http://tags.bluekai.com/site/4455?ret=h ... arketWatch] requested from [
http://www.marketwatch.com/story/5-thin ... teid=nwhpm]. Sanitized URL: [
http://tags.bluekai.com/site/4455?ret=h ... 0914172376].
----------
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4455ret=html&limit=10&r=89200&phint=serverDomain=
www.marketwatch.com, primaryProduct=MarketWatch, pageName=MW_Article_Personal Finance|Personal Finance_228D063A-D0E9-11E5-BF9E-4FFDC1DCE796, section=MW_Personal Finance, articleType=MW_Article_Normal_Personal Finance|Personal Finance, contentType=article, contentChannel=Article, isSub=nomem, __bk_k=5 things to know about the Costco and AmEx breakup - MarketWatch
(function anonymous() {
serverDomain=
www.marketwatch.com, primaryProduct=MarketWatch, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Re: XSS & Marketwatch site
Posted: Thu Mar 24, 2016 11:58 am
by barbaz
Don't know what to say about the first message. That might be a NoScript bug, not sure.
As for the others, can you please explain more how is this different from
viewtopic.php?f=7&t=21542 ?
Re: XSS & Marketwatch site
Posted: Thu Mar 24, 2016 8:52 pm
by Jojo999
Sorry, forgot about that other page. I will return to that one although I was not successful in getting comments to work, which is my ultimate goal.
Re: XSS & Marketwatch site
Posted: Tue Mar 29, 2016 5:26 pm
by Elbart
I get the first error in the opening posting
Code: Select all
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114 ...
by visiting
http://thefamiliar.beamdog.com/5.0/#!/articles/105651 with beamdog.com NOT on the whitelist, using Firefox 24ESR and NS 2.9.0.10.
In newer Firefox, the error is not shown and I can add beamdog.com to the whitelist.
But not in 24ESR, where there's only an entry for "about:blank" in the NS-menu.
After whitelisting beamdog.com from within the NS-options, the site's loading and the error is not shown.
Re: XSS & Marketwatch site
Posted: Thu Mar 31, 2016 10:12 pm
by Thrawn
Jojo999 wrote:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
You are using Pale Moon (and disguising your user agent). Looks like NoScript has some difficulty with older Gecko (and, by extension, Goanna). Does it happen with the latest NoScript?
Re: XSS & Marketwatch site
Posted: Sat Apr 02, 2016 6:41 am
by Elbart
Thrawn wrote:Jojo999 wrote:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
You are using Pale Moon (and disguising your user agent). Looks like NoScript has some difficulty with older Gecko (and, by extension, Goanna). Does it happen with the latest NoScript?
Tried PM 26.1.1 and NS 2.9.0.10 and couldn't trigger the XSS-warning on marketwatch.com.
Maybe it needs a special combination of whitelisted domains and settings.
EDIT: needs wsj.net and bluekai.com whitelisted, then the XSS-warning appears in both Firefox and Palemoon.
In a more recent Firefox-version, the warning does not appear.
The XSS-log-message on beamdog.com, and inability to whitelist beamdog.com from the NS-menu, is happening in Fx 24 and PM 26 using NS 2.9.0.10 either way.
PS: When the XSS-warning on marketwatch appears, the bluekai.com-domain-entry isn't listed in the NS-menu anymore, and I cannot blacklist bluekai.com this way. Is this a bug?
Re: XSS & Marketwatch site
Posted: Sun Apr 03, 2016 11:49 pm
by Thrawn
I recommend that you completely block bluekai. Have you read the thread linked by barbaz? The fact that you don't see the XSS warnings with it blocked is a good thing.
With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?
Re: XSS & Marketwatch site
Posted: Mon Apr 04, 2016 8:04 am
by Elbart
Thrawn wrote:I recommend that you completely block bluekai. Have you read the thread linked by barbaz? The fact that you don't see the XSS warnings with it blocked is a good thing.
Maybe, but when it's allowed and the page is reloaded using "Unsafe Reload" after the first time the XSS-warning pops up, shouldn't the warning not appear a second, third or fourth time?
EDIT: The XSS-warning and the error in the browser-console don't appear with bluekai whitelisted when "Sanitize cross-site-suspicious requests" is disabled or
http://tags.bluekai.com is added to the XSS-whitelist.
Plus there's the issue of not being able to blacklist it again from the menu.
Thrawn wrote:With the latest Pale Moon and NoScript, do you still get the "IOUtil.newChannelFromURI is not a function" error?
Where?
Firefox 24ESR and NS 2.9.0.10 still throws the error on the beamdog.com-links pasted above, yes.
EDIT:
The error-message using the the beamdog.com-link is a bit different than the one with bluekai.
beamdog:
Code: Select all
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:148
ns.httpObserver.observe@jar:file:///C:/Users/user/AppData/Roaming/Mozilla/Firefox/Profiles/qqdyhxdm.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
bluekai:
Code: Select all
[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///C:/Users/user/AppData/Roaming/Mozilla/Firefox/Profiles/qqdyhxdm.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354
Re: XSS & Marketwatch site
Posted: Wed Apr 06, 2016 12:18 am
by Thrawn
Well, Firefox 24 ESR is quite old, and although several moderators (including myself) like Pale Moon, Giorgio is targeting Firefox. Does the page still work despite the errors?
Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.
Re: XSS & Marketwatch site
Posted: Fri Apr 08, 2016 11:20 am
by Elbart
Thrawn wrote:Well, Firefox 24 ESR is quite old
NSS is marked as supporting Firefox 13 and newer, so I don't understand this remark.
Thrawn wrote:, and although several moderators (including myself) like Pale Moon, Giorgio is targeting Firefox. Does the page still work despite the errors?
See my postings above.
Thrawn wrote:Rather than switching off the XSS filter, it would be better to block bluekai with something like ABE. The inability to un-trust it might be a bug.
Yes, as much of an bug as not being able to whitelist beamdog.com when using the URL posted above.
The two error-messages might be related, as both cause the respective domain-entry to not be added to the NSS-dropdown-menu.
Re: XSS & Marketwatch site
Posted: Fri Apr 08, 2016 2:16 pm
by barbaz
Elbart wrote:Thrawn wrote:Well, Firefox 24 ESR is quite old
NSS is marked as supporting Firefox 13 and newer, so I don't understand this remark.
NoScript *does* support Firefox 13+ however in practice supported browsers based on the latest Gecko seem to get priority over the older versions. (I think Giorgio anyway recommends updating the browser to latest version.)
Re: XSS & Marketwatch site
Posted: Sun Apr 10, 2016 8:43 pm
by Elbart
As suspected, the XSS-errors and misbehaviors (repeated XSS-unsafe-reload-notification, no entry in the NS-menu) for both the bluekai- and beamdog-issue are the result of a regression.
Last good: 2.9.0.6rc1
First bad: 2.9.0.8rc1
The versions in between either can't be installed in 24ESR or refuse to work at all ("not installed properly" or something like that).
PS: The beamdog-issue also affects mega.nz-URLs.
Re: XSS & Marketwatch site
Posted: Fri Apr 15, 2016 8:48 am
by Elbart
Another example:
https://www.vulnerabilitycenter.com/#!vul=55665
EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.
In 2.9.0.6rc1 this isn't happening.
To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.
Re: XSS & Marketwatch site
Posted: Fri Apr 15, 2016 2:10 pm
by barbaz
Elbart wrote:EDIT:
Another problem has the same regression-range:
The Web-GUI of SabNZBd 0.7.20 is in a permanent state of showing the loading-icon in the tabbar with 2.9.0.8rc1.
The GUI itself is refreshing every 4 seconds, but the loading animation is spinning non-stop. There's no way to stop it.
In 2.9.0.6rc1 this isn't happening.
To make things worse, there's no warning, error-message or other information point to the cause of this. the Network-inspector of Firefox isn't showing anything either.
viewtopic.php?f=10&t=21762 ?
Re: XSS & Marketwatch site
Posted: Tue Oct 09, 2018 11:55 pm
by VIPscriptfree
I am getting a NoScript XSS Warning for this site
https://www.marketwatch.com/
Just click the link and the warning should pop up
Red Error messages from the Error Console
Code: Select all
XML Parsing Error: no root element found
Location: https://mwstream.wsj.net/bg2/signalr/abort?transport=webSockets&clientProtocol=1.5&connectionToken=041716a9-a8bc-4519-9814-6a80505f99f8%3A&connectionData=%5B%7B%22name%22%3A%22mainhub%22%7D%5D
Line Number 1, Column 1: abort:1:1