InformAction Forums

I forgot to mention, on my install, no script kept showing a pop up window for sanitizing XSS. How do I make it save the settings? Christ sakes......

Same issue here. As an example, I have www . imdb . com allowed and www . facebook . com not allowed. Every imdb page gives me a popup window:

NoScript detected a potential Cross-Site Scripting attack
from http :// www . imdb . com to https :// www . facebook . com.
Suspicious data:
window.name

Aside from the one about facebook, for which the "allow and remember" option was acceptable,
there are others (eg stags.bluekai.com) that ought to have no popup, by virtue of having been classified by me as Untrusted.

At least there's an option now to set it to "always block". But I think an "always block" global default is still needed. I had to click "aways block" six times for one site already.

Same here!



I get those warning when I click on google search links or when I go on duckduckgo.

On some sites, e.g. some tumblr pages with custom themes, there might be repeating same XSS, clicking always allow doesn't solve problem until reload, as the same XSS repeats, popup dialog that stays always on top is not minimizable even when the tab is NOT on focus which is annoying, not mentioning blank window bug only solved by right click.
Edit: Settings aren't saved across restarts somehow, also browsing storage-sync.sqlite with sqlite editor program I couldn't find a record (table row) with "key-xssWhitelist" in record_id column with configuration stored in record column in the collection_data table. Previous versions of NoScript did store this data properly.

I've just noticed that too: when I quit and restart Firefox, I'm getting the same XSS popups on the same site about the same https://www.facebook.com that I've already clicked "Always block" on.

I think this might be a reflection on how Firefox runs . If you look in the task manager FF is opened 4 times thus allowing memory to be cached in case of dropouts.
Maybe this is where Noscript is being caught up too. Running with FF at 4 times it could be trying to block all the other versions of FF too. If you get a XSS script warning shutdown FF and re-open it ,XSS should still be present as it switches another FF running in the background.

Just updated NoScript to 10.1.5.3 on one of my test profiles. When I visit affected site with multiple XSS of same kind, adding exception to first one doesn't stop the other one's triggering XSS popup that repeats even after closing tab or exiting the browser. Wery annoying. Also exceptions doesn't remain after restart, which is even more annoying.
The browser window after restart (last "window" was XSS popup):

And apparently 10.1.5.3 just wiped my XSS choices? I haven't restarted Firefox, just updated NoScript, and "Clear XSS user choices" is grayed out.

Same here, XSS does not remember always allow or always block choices when I close firefox and start again. So the same message pops up again! Firefox is set to never remember history, I don't know whether this is relevant or not.

XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.

Always allow choice is still not remembered. This is not good as it might tempt people to just disable the XSS check alltogether.

lancelot wrote:XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.

Besides, if I click "Always block" on the warning saying "from [...] to http://www.imdb.com", I get locked out of imdb, I cannot even open the main page www.imdb.com, even though that page hasn't been giving me a warning with the literal [...].

So it seems like a global default isn't even possible because of this.

lancelot wrote:

lancelot wrote:XSS handling is still rather annoying. If google gives me an imdb link in the search results (http :// www . imdb.com / name / nm0643664 /), when I click the link, I get a NoScript XSS warning about a potential attack from google to imdb. If another search engine gives me that link, I'll get a different XSS warning. If I just open that imdb link by pasting it into the address bar, I get a warning saying "from [...] to http://www.imdb.com" (literally three dots).

First, is that even the correct behavior? Second, it really needs a global default.

Besides, if I click "Always block" on the warning saying "from [...] to http://www.imdb.com", I get locked out of imdb, I cannot even open the main page www.imdb.com, even though that page hasn't been giving me a warning with the literal [...].

So it seems like a global default isn't even possible because of this.

Additionally, if I temporarily block the request "from [...] to http://www.imdb.com" (whatever that means), that apparently blocks some fonts as well:



This is how the page should like: