Page 1 of 1
Where is the XSS Exceptions form?
Posted: Thu Apr 19, 2018 9:40 pm
by ahardy42
I'm trying to enter an XSS exception for a site where NoScript seems to be blocking successful logins, but I can't find the exceptions page or form in the NoScript options.
When I click Settings -> Advanced Tab,all I see is a greyed area with the tabs on top, then a check-box saying "Sanitize cross-site suspicious requests" with a button "Clear XSS Choices" which I haven't clicked.
Then under that is a line, and another greyed area with a check-box saying "Debug".
Shouldn't there be a field here for me to enter my exceptions?
I know I've already entered on exception myself a year or so ago.
I'm using FF 59.0.2 with NoScript 10.1.7.5.
Re: Where is the XSS Exceptions form?
Posted: Thu Apr 19, 2018 11:01 pm
by barbaz
Moving to NoScript Development because I don't think there is a XSS Exceptions form yet.
Re: Where is the XSS Exceptions form?
Posted: Fri Apr 20, 2018 9:19 am
by ahardy42
Oh, I see - there used to be one before the big upgrade - I remember entering a regular expression for my bank's URL to stop NoScript killing the XSS-style stuff it was doing.
I assume that setting is still in the config somewhere since my banking website still works - or maybe not. Is there a setting I can set manually then?
Re: Where is the XSS Exceptions form?
Posted: Fri Apr 20, 2018 3:56 pm
by barbaz
As a workaround, you can export your NS settings, edit the XSS exceptions manually, then import the modified config back.
Re: Where is the XSS Exceptions form?
Posted: Fri Apr 20, 2018 4:01 pm
by ahardy42
OK, I'll give that a try.
Re: Where is the XSS Exceptions form?
Posted: Sat Apr 21, 2018 12:24 pm
by ahardy42
I checked in my prefs.js and I couldn't find any reference to my bank website which NoScript had disabled last year.
I have the XSS checkbox checked, so I'm not sure what NoScript is doing.
I also discovered that actually NoScript is not blocking the website I'm having problems with - it is in fact the TreeTabs add-in, bizarrely.
While I'm here though, what does NoScript do with XSS? Is it done on each suspected XSS request? I see a few of those and I can allow or forbid them individually. Has that replaced the list form of regex patterns of earlier versions?
Re: Where is the XSS Exceptions form?
Posted: Sun Apr 22, 2018 2:16 pm
by barbaz
ahardy42 wrote:what does NoScript do with XSS?
NoScript 10 just blocks the request containing the XSS attempt -
https://hackademix.net/2017/12/01/noscr ... ment-39541
ahardy42 wrote:Is it done on each suspected XSS request?
I think you should be prompted unless you have a "Always allow" or "Always block" rule.