InformAction Forums

Posted: **Fri Mar 25, 2011 11:32 am**

Hello,
I use Firefox 3.6.15 on Windows XP
Some of my Add-ons:
Drag & DropZones 1.5 (https://addons.mozilla.org/en-us/firefo ... dropzones/)
NoScript 2.0.9.9
ABP
RequestPolicy

Since the latest update of NoScript I get a warning of a XSS attempt, when I use the D&D Zones extension to search from a site, for instance:

.

This only happens when I use search engines with the HTTP POST method.

So my question is this intended?

Thanks.

Posted: **Sat Mar 26, 2011 10:48 pm**

Any clues anyone?

Posted: **Sat Mar 26, 2011 11:02 pm**

Can I see the [NoScript XSS] messages you should get in Tools|Error Console?

Posted: **Mon Mar 28, 2011 2:47 pm**

Giorgio Maone wrote:Can I see the [NoScript XSS] messages you should get in Tools|Error Console?

Code: Select all

[NoScript XSS] Ein verdächtiger Upload zu [http://www.scroogle.org/cgi-bin/nbbw.cgi] von [http://forums.informaction.com/viewtopic.php?f=7&t=6076] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.

Also I just noticed this happens only if javascript is forbidden. If I allow informaction.com I don't get this error.

Posted: **Mon Mar 28, 2011 3:05 pm**

That's normal, as NoScript sanitizes any POST request originating from non-whitelisted sites as a CSRF countermeasure.

You can work around by adding the following line to NoScript Options|Advanced|XSS exceptions:

Code: Select all

^@http://www\.scroogle\.org/cgi-bin/nbbw\.cgi$

I cannot see any valid reason to send a search request via POST, though.

InformAction Forums

Wrong(?) XSS Detection with Drag & DropZones and HTTP Post

Wrong(?) XSS Detection with Drag & DropZones and HTTP Post

Re: Wrong(?) XSS Detection with Drag & DropZones and HTTP Po

Re: Wrong(?) XSS Detection with Drag & DropZones and HTTP Po

Re: Wrong(?) XSS Detection with Drag & DropZones and HTTP Po

Re: Wrong(?) XSS Detection with Drag & DropZones and HTTP Po