Hi,
When I try to visit a wikipedia page whose title contains points and parenthesis, NoScript incorrectly detects it as a cross-site scripting attack and asks me if I want to block the request, allow it, etc. This is quite annoying.
Example: https://en.wikipedia.org/wiki/R.S.V.P._(2002_film)
I hesitate to always allow requests relative to wikipedia, but I wonder if it may create potential security risks for me, and anyway it's still an annoying bug for other people who may stumble on this issue.
Firefox version: 110.0.1. NoScript version: 11.4.18.
false positives on wikipedia for cross-site scripting attacks
false positives on wikipedia for cross-site scripting attacks
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Re: false positives on wikipedia for cross-site scripting attacks
To be clear, after several trials, this doesn't seem to happen systematically, but exactly once out of two times, which is super weird.
In particular, it seems to happen when I open a new tab in Firefox, type in or copy-paste a wikipedia URL whose title contains points and parenthesis, and then try to visit this URL. One out of two times everything works fine without security warning, but if I open a new tab and repeat the process, then I get the security warning about cross-site scripting.
I deactivated all other installed extensions, the problem persists; so it definitely seems to come from NoScript. Thanks,
In particular, it seems to happen when I open a new tab in Firefox, type in or copy-paste a wikipedia URL whose title contains points and parenthesis, and then try to visit this URL. One out of two times everything works fine without security warning, but if I open a new tab and repeat the process, then I get the security warning about cross-site scripting.
I deactivated all other installed extensions, the problem persists; so it definitely seems to come from NoScript. Thanks,
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Re: false positives on wikipedia for cross-site scripting attacks
And of course, the example I previously gave now doesn't throw the warning and works fine everytime, so here's another example where the issue still appears: https://en.wikipedia.org/wiki/M.A.S.H._(1970)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Re: false positives on wikipedia for cross-site scripting attacks
Since Giorgio hasn't commented yet, just chiming in to say that I can reproduce this. Except in my case it's not 1 out of 2, it seems randomly intermittent.
That there is any intermittence at all makes no sense. Either a URL is an XSS attempt or it's not, no? The only thing I can think would vary whether the filter would trip for a given URL is NoScript permissions for the target site, but I wasn't changing permissions between when the warning trip and when it doesn't.
The STR that most consistently reproduces the XSS warning for me is:
1) fresh start of Firefox
2) open the Wikipedia link in the OP in a new tab by drag&drop
3) close the wikipedia tab
4) open the wikipedia link from the post immediately above this one in a new tab by drag&drop
These steps seem to apply both in my main profile & in a new, clean profile.
Firefox 111.0rc2, NoScript 11.4.18rc1 here.
EDIT To be clear, when I say "drag&drop", I'm running multiple simultaneous instances of Firefox & had this topic open in a separate Firefox instance, completely separate from the instance in which was attempting to reproduce the issue.
That there is any intermittence at all makes no sense. Either a URL is an XSS attempt or it's not, no? The only thing I can think would vary whether the filter would trip for a given URL is NoScript permissions for the target site, but I wasn't changing permissions between when the warning trip and when it doesn't.
The STR that most consistently reproduces the XSS warning for me is:
1) fresh start of Firefox
2) open the Wikipedia link in the OP in a new tab by drag&drop
3) close the wikipedia tab
4) open the wikipedia link from the post immediately above this one in a new tab by drag&drop
These steps seem to apply both in my main profile & in a new, clean profile.
Firefox 111.0rc2, NoScript 11.4.18rc1 here.
EDIT To be clear, when I say "drag&drop", I'm running multiple simultaneous instances of Firefox & had this topic open in a separate Firefox instance, completely separate from the instance in which was attempting to reproduce the issue.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Re: false positives on wikipedia for cross-site scripting attacks
I just got this for https://en.wikipedia.org/wiki/USS_Willi ... kin=vector
I got it from clicking the wikipedia link after a google search.
Without knowing and assuming it was some garbage google was tagging on to their intermediate URL, I opened just the above URL in a new tab and got the same XSS warning.
I got it from clicking the wikipedia link after a google search.
Without knowing and assuming it was some garbage google was tagging on to their intermediate URL, I opened just the above URL in a new tab and got the same XSS warning.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Re: false positives on wikipedia for cross-site scripting attacks
kwiniec, this thread is about NoScript Webext. You are using NoScript Classic, which does not have the same XSS filter as NoScript Webext. Split your post to viewtopic.php?t=26985 so the two issues can get independent attention.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0