InformAction Forums

I am using NoSrcipt 2.0.9.6 and today I visited a website called destructoid.com I got a message from NoScript about it blocking a potential XSS attempt from exelator.com. While I am glad NoScript blocked it, the problem is I never allowed exelator.com but NoScript had it allowed. I suppose I could have allowed it by accident but I highly doubt that because I have not visited destuctoid.com in over a year until today and it has been significantly re-designed since then.

Is it in your bookmarks?
Could you check carefully whether you've got any auto-allowing option enabled in NoScript Options|General?
BTW, a XSS attempt can come also from a scriptless site. Are you sure it's actually in your whitelist?

Giorgio Maone wrote:Is it in your bookmarks?
Could you check carefully whether you've got any auto-allowing option enabled in NoScript Options|General?
BTW, a XSS attempt can come also from a scriptless site. Are you sure it's actually in your whitelist?

Checked and I'm not seeing anything, all my NoScripts are default except I unchecked "Show message about blocked scripts" that is the only setting I've changed

Giorgio Maone wrote: BTW, a XSS attempt can come also from a scriptless site. Are you sure it's actually in your whitelist?

Well when I clicked the NoScript icon in the status bar it showed"Forbid exelator.com" rather than "Allow exelator.com"

Then you (or someone else accessing your PC) allowed it by accident.

Giorgio Maone wrote:Then you (or someone else accessing your PC) allowed it by accident.

Seems plausible, I think I will inform the website devs about the potential XSS maybe it's malicious

I am having a similar issue. I have a default setup of noscript, am making sure "allow bookmarks" is NOT checked.. all scripts on the sites mentionned are reporting blocked.

1)
I am trying to block statcounter from recording my ip address when I visit my own blog. Both the blog and statcounter.com's site have zero permissions set. I reload my blog X amount of times, log in to statcounter, and each refresh was visited with my IP visible.

2)
I went to a run-of-the-mill "what is my ip?" website, and my IP shows without touching NoScript as well. It shows all scripts being blocked in NoScript's options, I double, triple, quadruple check. I do not understand why this is getting through. I went up and down my Whitelist permissions, and the none of the mentioned sites are listed.

You send your IP with every single request, no matter whether scripts are enabled or not.
That's how TCP/IP works, and there's nothing you can do about it except hiding behind a proxy.

bill177, are you under the false impression that Javascript is needed for a server to get your IP?

/edit: Ninja Giorgio, once again.

That I was... blindly following the many "block trackers" Google search hits that claimed ScriptBlocker was also capable of blocking counters such as the Statcounter snippet of code embedded on my blogger page. Ahh well, I had no real need to do it, other than to see if I could. Thanks for setting it straight.