InformAction Forums

Hello,

So this problem has just recently come up with NoScript. I run a file host (called Obscured Files) which distributes the load to multiple nodes using sub-domains.

All of them run on the same domain verified using the same https certificate. We have a HSTS, CSP, and we even public key pin our certificate (though pinning is currently disabled for some updates).

Yet when a user now POSTs to the same domain (directed at an appropriate sub-domain) the XSS filter is triggered trashing whatever the user was sending over needing them to reupload again with the unsafe reload button.

The console shows: It was working yesterday. What changed?

See viewtopic.php?f=7&t=22296.

Perhaps a moderator could merge the threads, maybe with the title changed to "XSS false positive" or something to that effect. barbaz, what do you think?

I think it's a different issue. That other thread is about XSS filter tripping from stuff entered into address bar and searchbar. This one is about a website being erroneously broken by NoScript.

CodeFate, what NoScript version are you using? If it's some 2.9.5 version, does downgrading NoScript to 2.9.0.14 let it work again?

Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a

Please check latest development build 2.9.5.2rc1, thanks.

The release candidate, as well as downgrading, seems to fix the issue.

What is the candidate's ETA to the Mozilla store?

It's already there https://addons.mozilla.org/addon/noscri ... 2.9.5.2rc1