Page 1 of 1
NoScript bug https://yandex.ru/video/
Posted: Tue Jan 24, 2017 5:36 am
by Hobbix
Visit here:
https://yandex.ru/video/
I get a message about the XSS-attack. Video on the page does not load.
NoScript version: 2.9.5.3
Firefox 50.1.0
Re: NoScript bug https://yandex.ru/video/
Posted: Tue Jan 24, 2017 5:43 am
by Hobbix
I added an exception rule, which has helped:
Code: Select all
^https://yastatic.net/video-player/?
Re: NoScript bug https://yandex.ru/video/
Posted: Tue Jan 24, 2017 5:44 am
by barbaz
But is it safe?
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
Re: NoScript bug https://yandex.ru/video/
Posted: Tue Jan 24, 2017 8:15 am
by Hobbix
barbaz wrote:But is it safe?
I do not know, please correct this rule, if required.
barbaz wrote:Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
I can not paste the code to the forum, I receive an error:
Code: Select all
Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.
I see this in the console (screenshot):
Re: NoScript bug https://yandex.ru/video/
Posted: Tue Jan 24, 2017 4:28 pm
by barbaz
Ick. That's no bug in the XSS filter, it's doing its job. Putting HTML in a URL is just begging to be XSSed.
I'd change that exception to
See
the sticky for more info on XSS exceptions.
Moving to NoScript Support.
