Page 1 of 1
No Script blocking when it shouldn't be
Posted: Wed Aug 04, 2010 5:19 am
by smtips
NoScript has treated me well until recently. I cannot get a video on my site to load as soon as I enable NoScript even though I allowed EVERYTHING, the domain is whitelisted, the video comes up in a gray box and refuses to play. As soon as I disable NoScript it works fine. I'm stumped as to why this is. It is DEFINITELY Noscript causing this not another addon because I have tried this with a completely new install of FF and Noscript as the only addon.
It happens when clicking on the QuickTour Product Overview button on the below page. It should simply pop up a video and play it and it does not. Any help would be appreciated. Because if it's not working with no script, I could lose business.
The maker of this addon needs to let me know about this.
The page is
http://www.securepaynet.net/ecommerce/s ... stInternet
Re: No Script blocking when it shouldn't be
Posted: Wed Aug 04, 2010 5:36 am
by Alan Baxter
Confirmed in NS 2.0.1rc2.
The Error Console shows NoScript doing some XSS sanitizing which seems to prevent the video from playing. The maker of this addon may be able to modify NoScript or suggest a change you can make on your end. We'll have to wait until Giorgio logs in again.
Re: No Script blocking when it shouldn't be
Posted: Wed Aug 04, 2010 6:24 am
by Giorgio Maone
Unfortunately that site is sending out an URL containing what it seems a <video> HTML element, which is considered full-fledged cross-site scripting.
I can see the potential for a work-around in next NoScript version, but in the meanwhile you can access the video by adding the following line to your
NoScript Options|Advanced|XSS exceptions:
Code: Select all
^http://img1\.wsimg\.com/gdtv/swf/apiplayeras2_2\.swf\?
Re: No Script blocking when it shouldn't be
Posted: Wed Aug 04, 2010 6:41 am
by al_9x
Is there an issue here with the logging? the formatting of the reason string?
Re: No Script blocking when it shouldn't be
Posted: Wed Aug 04, 2010 2:35 pm
by therube
Code: Select all
[NoScript XSS] xss.reason.http://img1.wsimg.com/gdtv/swf/apiplayeras2_2.swf?mediaID=undefined&myXML=%3Cvideo%3E%3Cinfo%20vTitle%3D%22Quick%20Shopping%20Cart%20Product%20Overview%22%20vURL%3D%22http%3A//video.securepaynet.net/ProductDemo_QuickShoppingCart_Reseller_640x360_large.flv%22%20vClick%3D%22QSCProductOverview%22%3EInfo%3C/info%3E%3C/video%3E
Re: No Script blocking when it shouldn't be
Posted: Wed Aug 04, 2010 8:12 pm
by Giorgio Maone
al_9x wrote:Is there an issue here with the logging? the formatting of the reason string?
Yes there is and I'm investigating that.
Re: No Script blocking when it shouldn't be
Posted: Fri Aug 06, 2010 8:21 pm
by Giorgio Maone
Fixed in
latest development build (the <video> with no attributes false positive).
Regarding the "strange" message, it is due to the request triggering the filter not be bound to a HTML document, but to a Flash movie, therefore some stuff normally expected to be retrievable cannot be fetched.
I've been tempted to skip the checks for plugin content, but then I resolved myself to keep the checks since a Flash movie, for instance, could have been coded to cal GetURL() on a query string parameter, therefore becoming a 2nd order XSS vector, and therefore the InjectionChecker pass is beneficial.