InformAction Forums

The following is the site where the problem occurs:

http://money.cnn.com/data/markets/dow/


I started to get the following message from NoScript, regularly now:

NoScript filtered a potential cross-site scripting (XSS) attempt from ......

I appreciate the help that NoScript is doing.
BUT, why does it have to always give the pop-up message mentioned above?

It seems rather ironic, that NoScript, a program designed to prevent pop-ups,
is itself giving pop-ups!
After I have acknowledged it, the 10th time, is it possible for NoScript to learn that it is not necessary to warn me an 11th and 12th and 13th and 14th time etc.?

BTW, what it does is, NOT block the site's pop-up, it allows it, and adds its warning at the top of this pop-up.
So it's not strictly a NoScript pop-up, but NoScript should be smart enough to stop the pop-up and NOT warn me about it every time it pops up.

Please advise how I can stop this. Thanks!

Could you copy here any [NoScript XSS] line you can find by clicking the "Options" button on the warning and selecting "Show console"?

Giorgio Maone wrote:Could you copy here any [NoScript XSS] line you can find by clicking the "Options" button on the warning and selecting "Show console"?

OK, here it is:

[NoScript XSS] Sanitized suspicious request. Original URL [http://money.cnn.com/fn_adspaces/creati ... %22%20/%3E] requested from [http://ads.cnn.com/html.ng/site=cnn_mon ... mId=506627]. Sanitized URL: [http://money.cnn.com/fn_adspaces/creati ... 1630135270].

NoScript is correctly reporting a XSS security problem with the cnn.com site (try this link on Firefox without NoScript or in Internet Explorer for a demo).

However you can turn off the notification bar (which is not a popup, since it's not modal) by unchecking the "XSS" box in NoScript Options|Notifications.

Giorgio Maone wrote:NoScript is correctly reporting a XSS security problem with the cnn.com site

However you can turn off the notification bar (which is not a popup, since it's not modal) by unchecking the "XSS" box in NoScript Options|Notifications.

OK let's talk this through.

I want NoScript to continue to watch out for XSS security problems and notify me when a *NEW* problem comes up.
I would like NoScript to prevent an XSS security pop-up from running on its own.
I don't want NoScript to:
-Allow the XSS security pop-up to continue popping up, once it has identified it the first time.

It seems that if I turn off the Options/Notification bar I won't be notified about XSS scripts and the pop-up at this site will continue.

There's no way for NoScript send you XSS notification about new problems only (it should keep a database of previously encountered suspicious URLs, and probably in this case it wouldn't work either because the URL have randomization elements).

However in this specific case you can work around by marking ads.cnn.com as untrusted (you may need to check "Full Domains" in NoScript Options|Appearance first).

Giorgio Maone wrote: However in this specific case you can work around by marking ads.cnn.com as untrusted (you may need to check "Full Domains" in NoScript Options|Appearance first).

OK, thanks very much for your help!