InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Huffington Post (HuffPo) Germany - Not able to read Comments

https://forums.informaction.com/viewtopic.php?t=24211

Page 1 of 1

Huffington Post (HuffPo) Germany - Not able to read Comments

Posted: Sat Dec 16, 2017 12:28 pm
by VevendoVides
Hi together. Since Years I have the Problem reading Comments in the HuffPo, i.e. here: http://www.huffingtonpost.de/entry/merk ... e-homepage

First I thought that had to do with a blocked script but that was definetely not the Reason. Only Disabling NoScript completely brought Help. The reason seams to be the XSS Cross Site Scripting, in this case XSS [http://www.huffingtonpost.de]->[https://www.facebook.com]

In the console I found this one relating to the above:

Code: Select all

getUserData() oder setUserData() sollten nicht mehr verwendet werden. Verwenden Sie stattdessen WeakMap oder element.dataset. requestNotifier.js:53:0
[NoScript InjectionChecker] JavaScript Injection in ///plugins/comments.php?api_key=137920063083844&channel_url=http://staticxx.facebook.com/connect/xd_arbiter/r/lY4eZXm_YWu.js?version=42#cb=f666f981c50036&domain=www.huffingtonpost.de&origin=http://www.huffingtonpost.de/f30f36b538e6e0e&relation=parent.parent&colorscheme=light&href=http://www.huffingtonpost.de/entry/merkel-schulz-groko-theater_de_5a33d8fbe4b0ff955ad22ad3&locale=de_DE&numposts=10&sdk=joey&skin=light&version=v2.5&width=570
(function anonymous() {
www.huffingtonpost.de/f30f36b538e6e0e&relation==parent.parent&colorscheme==light
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://www.facebook.com/plugins/comments.php?api_key=137920063083844&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FlY4eZXm_YWu.js%3Fversion%3D42%23cb%3Df666f981c50036%26domain%3Dwww.huffingtonpost.de%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.de%252Ff30f36b538e6e0e%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.de%2Fentry%2Fmerkel-schulz-groko-theater_de_5a33d8fbe4b0ff955ad22ad3&locale=de_DE&numposts=10&sdk=joey&skin=light&version=v2.5&width=570] angefordert von [http://www.huffingtonpost.de/entry/merkel-schulz-groko-theater_de_5a33d8fbe4b0ff955ad22ad3?x4&utm_hp_ref=de-homepage]. Bereinigte URL: [https://www.facebook.com/plugins/comments.php?api_key=137920063083844&channel_url=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FlY4eZXm_YWu.js%3Fversion%3D42%23cb%2520f666f981c50036%2526domain%2520www.huffingtonpost.de%2526origin%2520http%253A%252F%252Fwww.huffingtonpost.de%252Ff30f36b538e6e0e%2526relation%2520parent.parent&colorscheme=light&href=http%3A%2F%2Fwww.huffingtonpost.de%2Fentry%2Fmerkel-schulz-groko-theater_de_5a33d8fbe4b0ff955ad22ad3&locale=de_DE&numposts=10&sdk=joey&skin=light&version=v2.5&width=570].
Any Idea what to do despite disabling NoScript? And easy explained please, i am not a Teckie :-)

Thank you in Advance and have a nice X-Mas Time

Re: Huffington Post (HuffPo) Germany - Not able to read Comm

Posted: Sat Dec 16, 2017 2:11 pm
by Just_Golem
Visited the site from Canada (using NoScript 10.1.5.8)

On first load, as expected, everything is blocked

Clicked NoScript icon and Chose: Temporarily allow , a first time
Page reloaded, and new things were blocked and were listed
Clicked Temporarily allow a "Second time", reloaded and then Temporarily Allow a"Third" and last time.
Comment were visible after that, and I did not get any XSS error or Box

Not sure if this is of any help, but wanted to chime in, in case :-) :-)

Re: Huffington Post (HuffPo) Germany - Not able to read Comm

Posted: Sat Dec 16, 2017 2:18 pm
by Pansa
Can't reproduce either. (In No script 10.1.5.7)

I set
...huffingtonpost.de (red)
...facebook.net (red)
...facebook.com (red)
...fbcdn.net (black)

To trusted. Comments load fine.

edit:
Just noticed:
"Firefox/52.9 PaleMoon/27.6.2"

Which version of No script are you running?

Re: Huffington Post (HuffPo) Germany - Not able to read Comm

Posted: Sat Dec 16, 2017 4:17 pm
by barbaz
Pansa wrote:edit:
Just noticed:
"Firefox/52.9 PaleMoon/27.6.2"

Which version of No script are you running?
They're either running this version or latest NoScript Classic.

:arrow: https://forums.informaction.com/viewtop ... =7&t=23069

Re: Huffington Post (HuffPo) Germany - Not able to read Comm

Posted: Sat Dec 16, 2017 5:32 pm
by VevendoVides
Guys, you are doing great!

Thank you for the sharp eyes, esp. regarding PaleMoon and my outdated Releas of NoScript (5.0.6) First I've tried a newer version of it but that was not accepted due to an old release of Firefox (which is understandable since PM an FF devorced).

So I followed @barbaz hint and tried this Exceptions in the XSS-Opinion-Menue:

Code: Select all

^https://www\.facebook\.com/plugins/comments\.php\?

^https://www\.facebook\.com/plugins/feedback\.php\?
And after that, like the Flintstones: YappadappaDoo - It works!

Thank you so much for your Help an Assistance. Have a peacefull Christmas and a Happy New Year

Re: Huffington Post (HuffPo) Germany - Not able to read Comm

Posted: Sat Dec 16, 2017 7:26 pm
by barbaz
You're welcome! Image
VevendoVides wrote:I've tried a newer version of it but that was not accepted due to an old release of Firefox (which is understandable since PM an FF devorced).
Latest NoScript Classic (5.1.8.3) should still work in Pale Moon.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited