InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

FireFox + NS + Google "Note in Reader" = XSS problem

https://forums.informaction.com/viewtopic.php?t=4853

Page 1 of 1

FireFox + NS + Google "Note in Reader" = XSS problem

Posted: Wed Aug 11, 2010 12:46 pm
by msemtd
Hi, please excuse my lack of experience with NoScript - I'm a casual user rather than a web hacker.

I'm having some trouble with one of my favourite browser features, a "Note in Reader" bookmarklet that takes the selected text and adds it to my Google Reader page. When I use it on some pages I get a NS XSS blocked warning, no information is saved and the browser history on that tab is lost.

My NoScript version is 2.0.1 and the bookmarklet reads as follows: -

Code: Select all

javascript:var%20b=document.body;var%20GR________bookmarklet_domain='https://www.google.com';if(b&&!document.xmlVersion){void(z=document.createElement('script'));void(z.src='https://www.google.com/reader/ui/link-bookmarklet.js');void(b.appendChild(z));}else{}
I can fully understand that NS believes that something dodgy is afoot: there's a selection being passed to another site - fair enough!

I tried altering an existing Anti-XSS regex thus: -

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|reader\1)\?
No joy :(
Google Reader and NoScript are both great features of my browsing experience -- How can I get the two great features to play nicely together?

Re: FireFox + NS + Google "Note in Reader" = XSS problem

Posted: Wed Aug 11, 2010 2:44 pm
by Giorgio Maone
The following line added in the exceptions box should do:

Code: Select all

^http://www\.google\.com/reader/link-frame
If it doesn't, please show me the [NoScript XSS] line(s) you should get in Tools|Error Console (Messages subsection) when this happens.

Re: FireFox + NS + Google "Note in Reader" = XSS problem

Posted: Wed Aug 11, 2010 2:56 pm
by msemtd
That seems to have done the trick - many thanks

Works fine for my problem sites although the "close this" link in the reader frame/div is not clickable for some reason! (Can't remember if it used to work previously -- I've also updated my bookmarklet to the latest from the Google Reader front end) Does anyone else have this issue?

Re: FireFox + NS + Google "Note in Reader" = XSS problem

Posted: Thu Sep 16, 2010 12:09 am
by Antipop
the "close this" link in the reader frame/div is not clickable for some reason!
It is not clickable on untrusted sites, because Google's script (even if Google is whitelisted) is loaded through the said untrusted site and therefore blocked - at least NoScript treats it that way. :-(
While it is good usually, I'd really love a way to make exceptions for such issues like "Note in Reader" feature.
Temporarily allowing each site on which I want to send a GR's note would be quite a pain in the ass... Not to say dangerous... We need a way to enable google's script https://www.google.com/reader/ui/link-bookmarklet.js to be loaded on http://www.badsite.com. Any solutions?

Re: FireFox + NS + Google "Note in Reader" = XSS problem

Posted: Thu Sep 16, 2010 6:53 am
by Giorgio Maone
Antipop wrote: Temporarily allowing each site on which I want to send a GR's note would be quite a pain in the ass... Not to say dangerous... We need a way to enable google's script https://www.google.com/reader/ui/link-bookmarklet.js to be loaded on http://www.badsite.com. Any solutions?
Unfortunately even if the 3rd party script got to load (and it doesn't), it wouldn't run because the JS engine is off for the hosting page.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited