Page 1 of 1
eBay URL Problems
Posted: Wed Apr 13, 2016 11:53 am
by Oeconomist
I run PaleMoon and Firefox on Fedora Core 22 Linux on a 64-bit Atom CPU.
When I try to perform eBay searches with slightly complicated strings, recent versions of NoScript cause the browser to choke on the URL. Here is an example of a URL that does not work with NoScript enabled, but works fine with NoScript disabled:
http://www.ebay.com/dsc/i.html?&_osacat ... itleDesc=1
Re: eBay URL Problems
Posted: Wed Apr 13, 2016 2:17 pm
by therube
Re: eBay URL Problems
Posted: Thu Apr 14, 2016 5:57 am
by Oeconomist
It does not seem to apply. I have not observed a problem with NoScript failing to install; the bug manifests itself both in PaleMoon and in Firefox; NoScript seems to work as expected in other contexts. eBay searches that have simpler URLs work fine.
Indeed, I was surprised that the bug is one of NoScript. It was only by a process of elimination that I associated the problem with NoScript. It is as if NoScript parses the URL incorrectly and does not see that the domain is whitelisted when the portion of the URL used to pass paramaters is a bit involved, even though none of those parameters looks like a domain-name.
Re: eBay URL Problems
Posted: Sun Apr 24, 2016 6:33 am
by Oeconomist
Ah, the crickets! They chirp!
Re: eBay URL Problems
Posted: Sun Apr 24, 2016 11:51 am
by barbaz
[img[/img]
Funny how that account doesn't check out as same user as the guest poster...
@ Oeconomist Guest (if you're not the same person):
When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
Re: eBay URL Problems
Posted: Sun Apr 24, 2016 1:42 pm
by therube
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///dsc/i.html?&_osacat=1&_nkw=leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr)&_sacat=0&LH_TitleDesc=1
(function anonymous() {
leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%28keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%29+%28esser%2Ceser%2Cesserr%29&_sacat=0&LH_TitleDesc=1] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%20keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%20+%20esser%2Ceser%2Cesserr%20&_sacat=0&LH_TitleDesc=1#4158468393455419684].
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///dsc/i.html?&_osacat=1&_nkw=leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr)&_sacat=0&LH_TitleDesc=1
(function anonymous() {
leroy (keuffel,kueffel,keufel,kuefel,keufell,kuefell,keuffell,kueffell) (esser,eser,esserr) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%28keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%29+%28esser%2Ceser%2Cesserr%29&_sacat=0&LH_TitleDesc=1] requested from [chrome://navigator/content/navigator.xul]. Sanitized URL: [http://www.ebay.com/dsc/i.html?&_osacat=1&_nkw=leroy+%20keuffel%2Ckueffel%2Ckeufel%2Ckuefel%2Ckeufell%2Ckuefell%2Ckeuffell%2Ckueffell%20+%20esser%2Ceser%2Cesserr%20&_sacat=0&LH_TitleDesc=1#8702105985253366310].
Re: eBay URL Problems
Posted: Sun Apr 24, 2016 2:31 pm
by barbaz
If you trust eBay not to be vulnerable to XSS, can try adding this XSS exception (documented in
FAQ 4.4, though the exception in that FAQ is outdated now):
Code: Select all
^https?://www\.ebay\.com/dsc/i\.html
Or (better), if you only do searches from a searchplugin, see
viewtopic.php?f=7&t=20851
Better yet, additionally secure eBay with
ABE rule, so that not just any site can even try to XSS eBay.
Re: eBay URL Problems
Posted: Mon Apr 25, 2016 12:48 pm
by Oeconomist
barbaz wrote:Funny how that account doesn't check out as same user as the guest poster...
After twice posting as a guest, I figured that I might as well register. (I mostly wanted to avoid some troll coming-along and turning discussion into chaos.)
barbaz wrote:When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
I don't get a browser console (nor other source of diagnostics) in PaleMoon, though I believe that one can be installed. The console for Firefox declares suspicious XSS (as indicated by
therube above).
barbaz wrote:If you trust eBay not to be vulnerable to XSS, can try adding this XSS exception (documented in
FAQ 4.4, though the exception in that FAQ is outdated now):
Code: Select all
^https?://www\.ebay\.com/dsc/i\.html
Now, that did the trick very nicely; thank you! (I will investigate your other suggestions later!)
Re: eBay URL Problems
Posted: Mon Apr 25, 2016 1:11 pm
by barbaz
You're welcome, glad it's working!
Let us know if you would like help with the other suggestions.
Re: eBay URL Problems
Posted: Mon Apr 25, 2016 1:20 pm
by barbaz
Oeconomist wrote:After twice posting as a guest, I figured that I might as well register. (I mostly wanted to avoid some troll coming-along and turning discussion into chaos.)
I only checked the second Guest post but not the first, sorry about that. The first Guest post does check out as yours so it's under your account now. If you correctly PM me the IP address or ISP used for the second Guest post, it too will be yours.