InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS on blogspot/blogger

https://forums.informaction.com/viewtopic.php?t=4526

Page 1 of 1

XSS on blogspot/blogger

Posted: Tue Jun 15, 2010 12:16 pm
by eckstee
Blogger has a new layout editor where you can see your changes live before you save them, and NoScript blocks an XSS request every time I go into it. With the request blocked, the editor doesn't work (my blog doesn't show in the lower pane), and upon doing an unsafe reload, everything works as expected.

I suspect this is because they use two domains, blogspot.com and blogger.com. I've already had third-party cookie issues because of this.

Adding the following line to the XSS exceptions list fixes the issue:

Code: Select all

^https?://[^\.]+\.blogspot\.com/b/preview

Re: XSS on blogspot/blogger

Posted: Tue Jun 15, 2010 1:11 pm
by Giorgio Maone
Could you please show me the [NoScript XSS] line(s) you get in Tools|Error Console, so I can see if a more restrictive exception (or a different work-around) can be wired in next NoScript version?
Thanks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited