InformAction Forums

Posted: **Thu Aug 17, 2017 10:25 pm**

The update says the XSS issue has been fixed but it still acts up on google.co.jp, it is very annoying
I can't even do an unsafe reload as I get a blank page, a fix would be appreciated

Thanks

Posted: **Thu Aug 17, 2017 11:26 pm**

How about providing some information that can be used to actually discover a solution or even validate the issue is NS related.

At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.

Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.

Posted: **Thu Aug 17, 2017 11:51 pm**

GµårÐïåñ wrote:At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

Guest wrote:I can't even do an unsafe reload as I get a blank page,

Posted: **Thu Aug 17, 2017 11:51 pm**

Guest, please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

Posted: **Fri Aug 18, 2017 12:16 am**

barbaz wrote:
GµårÐïåñ wrote:At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

Guest wrote:I can't even do an unsafe reload as I get a blank page,

And? The link has always been able to be copied, you don't have to actually load it to copy it, seriously? The blank page suggests somethings else is being blocked and preventing it from loading or the original link generating the XSS is invalid to begin with or has an improper redirection.

Posted: **Fri Aug 18, 2017 1:25 am**

Apparently we interpreted that statement differently. I took it to mean they were redirected to a blank page so fast they couldn't do anything with the XSS notification bar.

Guest, can you please clear this up as well?

Posted: **Fri Aug 18, 2017 4:15 am**

I'm not the same guest, but I'm getting the same xss messages when performing searches.

Console output:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=1&hl=en&origin=https://www.google.com.mx&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1503029447798&parent=https://www.google.com.mx&pfname=&rpctoken=20093748
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029447798&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=20093748] requested from [https://www.google.com.mx/search?client=firefox-b&q=macarena&oq=macarena&gs_l=psy-ab.3..0i71k1l4.0.0.0.83806.0.0.0.0.0.0.0.0..0.0....0...1..64.psy-ab..0.0.0.zGPoVB31D8A]. Sanitized URL: [https://notifications.google.com/#5238393364113552739].
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=1&hl=en&origin=https://www.google.com.mx&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1503029454331&parent=https://www.google.com.mx&pfname=&rpctoken=14126897
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029454331&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=14126897] requested from [https://www.google.com.mx/?gfe_rd=cr&ei=5miWWcevCMi1mQHs35uACQ#5238393364113552739]. Sanitized URL: [https://notifications.google.com/#37620461912841685888].

Using unsafe reload, I get this URL, but the page is blank:

Code: Select all

https://notifications.google.com/u/0/widget?sourceid=1&hl=en&origin=https%3A%2F%2Fwww.google.com.mx&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=1&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1503029474369&parent=https%3A%2F%2Fwww.google.com.mx&pfname=&rpctoken=50778240

Posted: **Fri Aug 18, 2017 4:23 am**

AnotherGuest, you are not the only one reporting that XSS filter false positive - https://forums.informaction.com/viewtop ... =7&t=23196

If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -

Code: Select all

^https://notifications\.google\.com/u/0/widget\?

Or if you rather trust that google won't XSS other sites -

Code: Select all

^@https://www\.google\.com(?:\.mx)?/

Either one would go in NoScript Options > Advanced > XSS > Anti-XSS protection exceptions.

Does this help?

(no, this is not a straight copy-paste from my post in the other thread.

)

Posted: **Fri Aug 18, 2017 11:34 pm**

GµårÐïåñ wrote:How about providing some information that can be used to actually discover a solution or even validate the issue is NS related.

At the very least post the "unsafe reload" link that is provided to you so we can see why it thinks it is unsafe and go from there.

Remember, support forum, not a psychic shop. We require some information on the so called problem before we can figure out what's wrong with it. We don't have a crystal ball.

Also, just because a related sounding issue is marked as fixed, doesn't mean it applies to everything out there sharing the same title.

If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.

Anyway thank you barbaz, I used the first exception and I don't get the issue anymore

Posted: **Sat Aug 19, 2017 1:44 am**

You're welcome.

Guest wrote:If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.

He wasn't being condescending, he was just explaining the importance of providing details when asking for help. "The XSS issue" doesn't tell us much.

Anyway, glad you got it sorted.

Posted: **Sat Aug 19, 2017 11:15 am**

Hi, I have the same issue with Google that is my start page , in my desktop where I'm logged on Google there is the XSS alert No Script has filtered a cross site scripting attempt when I open Firefox and when I do a search. This problem appears today when I update Firefox from 55.0.1 to 55.0.2. In my husband laptop without logging no alert. This issue will be resolved?

Mary from Italy

Posted: **Sat Aug 19, 2017 5:16 pm**

@mary7 Do the above exceptions not take care of the problem for you?

Posted: **Sat Aug 19, 2017 5:32 pm**

No, i have The same problem of this deautch user But for me is with Google.It And Not Google. De
This i An Image of The console report https://ibb.co/nmO6j5 of The Deutsch user (Now i am out And i reply with My phone)

Posted: **Sat Aug 19, 2017 5:35 pm**

Without your exact console messages we're just guessing, but you could try this exception -

Code: Select all

^@https://www\.google\.it/

Posted: **Sat Aug 19, 2017 7:46 pm**

Guest wrote:If I knew what to post I would have posted it, I have no idea what you require or not.
Maybe I sounded harshed than I intended to be, but that's not a reason to be this condescending.

As self admitted "harsh" aside (I am not a wallflower); I wasn't and it is not condescension to expect, at the very least, basic information before being able to support something - it should go without saying.

Glad you found barbaz's response helpful, but we still don't know WHY it happened, but solution is solution and if you are happy then we are happy; but keep in mind, as barbaz already noted, the assumption for the fix is simply that YOU trust that the XSS occurring it not evil, nothing more.

InformAction Forums

XSS and google

XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google

Re: XSS and google