InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Bug: NoScript blocks local RSS feeds

https://forums.informaction.com/viewtopic.php?t=4829

Page 1 of 1

Bug: NoScript blocks local RSS feeds

Posted: Sat Aug 07, 2010 10:33 pm
by simpleme
OS: Debian Lenny
Browser: Firefox 3.6.8
NoScript: 2.0

I'm running a local Apache web server. A page has a link to an RSS 2.0 feed in the form <link rel="alternate" type="application/rss+xml" href="path/to/rss.xml" title="News" /> I have already tested the feed in Liferea, Thunderbird, as well as directly in Firefox by typing the address in the address bar and each of those works. The hosts file (/etc/hosts) has been modified such that mydomain.com is 127.0.0.1

When on the page containing the link to the RSS feed (http://mydomain.com/projects/), the subscribe icon appears in the address bar. Clicking the icon does nothing. I've checked the source of the link tag as well as the rss, and even copied them from other sites that worked. Nothing happens when clicking on the subscribe icon in the address bar. It works for other sites, but not for the local test site. I have also tested this with the URL (http://localhost/projects/) instead, same problem. Both localhost as well as mydomain.com are in the NoScript whitelist.

When I disable NoScript and restart the browser, it works. Visiting the same page and clicking the subscribe icon in the address bar opens the subscribe page as usual.

Re: Bug: NoScript blocks local RSS feeds

Posted: Sat Aug 07, 2010 11:25 pm
by al_9x
confirming, the local rule is misbehaving, the abe alert and console message are a bit cryptic

Code: Select all

[ABE] <LOCAL> Deny on {GET http://localhost/tests/feed.xml <<< feed://http//localhost/tests/feed.xml, feed://http//localhost/tests/feed.xml - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
The first part is clear "GET http://localhost/tests/feed.xml"
but what does "<<< feed://http//localhost/tests/feed.xml, feed://http//localhost/tests/feed.xml - 1" mean: <<<, 2 urls, -1

Re: Bug: NoScript blocks local RSS feeds

Posted: Sun Aug 08, 2010 8:48 am
by Giorgio Maone
Investigating, thanks.
@al_9x: "feed://" URLs are used by Firefox to designate feed subscription requests, and unfortunately you can use them everywhere, even as <IMG> or <IFRAME> SRCs, therefore they're susceptible of being exploited as CSRF vectors.
Unfortunately Gecko doesn't appear to assign feed subscriptions a meaningful origin, or at least it's not easy to deduct. This is basically the crux of this bug, which can be fixed only if I find a way to discriminate the real origin of the request, which at this moment is reported as the feed itself no matter where it's been requested.

Re: Bug: NoScript blocks local RSS feeds

Posted: Sun Aug 08, 2010 9:57 am
by al_9x
Giorgio Maone wrote:@al_9x: "feed://" URLs are used by Firefox to designate feed subscription requests
{GET http://localhost/tests/feed.xml <<< feed://http//localhost/tests/feed.xml, feed://http//localhost/tests/feed.xml - 1}

The confusing part is not the "feed:" scheme, but the syntax/semantics of the abe alert/console message. It's using dev debug shorthand but is meant also for the user to understand what happened. Can it be better phrased? The first url is the blocked request and the second the origin, right? One can figure it out but it could be clearer. What is the meaning of the third url? And the number (1)?

Re: Bug: NoScript blocks local RSS feeds

Posted: Sun Nov 07, 2010 6:16 am
by al_9x
This also affects non LOCAL pages if ABE restricts access to them from other domains, facebook for example.

Giorgio, can you please document the request dump format.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited