XSS identified in Google Chat with NS 2.1.0.6rc5
Posted: Sat May 21, 2011 7:05 am
I use Firefox 4.0.1 synced across 3 PCs (2 with XP Pro, 1 Win 7 64). iGoogle is my homepage. These have just updated my NoScript to 2.1.0.6rc5, and now I am getting an XSS warning with the iGoogle page that was not occurring ahead of the update, and the Google Chat feature is being blocked. Reverting to the latest stable build resolves the problem so I presume this is a bug that will need ironing.
If it assists, this is the message showing up in my Console, with minor edits to (hopefully) protect my identity:
If it assists, this is the message showing up in my Console, with minor edits to (hopefully) protect my identity:
Code: Select all
[NoScript XSS] Sanitised suspicious request.
Original URL [http://talkgadget.google.com/talkgadget/notifierclient?client=sm&prop=iGoogle&nav=true&fid=gtn-roster-iframe-id&ts=0&debug=undefined&os=Win32&stime=13954686665&fb=false&re=true&no=undefined&hc=true&ref=false&xpc=%7B%22cn%22%3A%22o643m%22%2C%22tp%22%3A1%2C%22ifrid%22%3A%22gtn-roster-iframe-id%22%2C%22pu%22%3A%22http%3A%2F%2Ftalkgadget.google.com%2Ftalkgadget%2F%22%2C%22lpu%22%3A%22http%3A%2F%2Fwww.google.co.uk%2Frobots.txt%22%2C%22ppu%22%3A%22http%3A%2F%2Ftalkgadget.google.com%2Frobots.txt%22%7D&pvt=undefined&href=http%3A%2F%2Fwww.google.co.uk%2Fig%23t_0%3Frel%3D1&css=http%3A%2F%2Figoogle-skins.googleusercontent.com%2Fig%2Fskin_xml_to_css%3Fv2%3D1%26url%3Dhttp%253A%252F%252Fwww.google.com%252Fig%252Fmodules%252Fapiskins%252Fteahouse.xml%26skindx%3Dix%3A8%26hl%3Den%26fp%3DDNtYX5r8HII&hl=en&uj=stephen%40gmail.com&vp=http%3A%2F%2Fwww.google.co.uk%2Fig%2Ftalk_xpc_blank.html&host=1&zx=g7ysernshr3a] requested from [http://www.google.co.uk/ig].
Sanitised URL: [http://talkgadget.google.com/talkgadget/notifierclient?client=sm&prop=iGoogle&nav=true&fid=gtn-roster-iframe-id&ts=0&debug=undefined&os=Win32&stime=13954686665&fb=false&re=true&no=undefined&hc=true&ref=false&xpc=%7B%20cn%20%3A%20o643m%20%2C%20tp%20%3A1%2C%20ifrid%20%3A%20gtn-roster-iframe-id%20%2C%20pu%20%3A%20http%3A%2F%2Ftalkgadget.google.com%2Ftalkgadget%2F%20%2C%20lpu%20%3A%20http%3A%2F%2Fwww.google.co.uk%2Frobots.txt%20%2C%20ppu%20%3A%20http%3A%2F%2Ftalkgadget.google.com%2Frobots.txt%20%7D&pvt=undefined&href=http%3A%2F%2Fwww.google.co.uk%2Fig%23102787499062865405&css=http%3A%2F%2Figoogle-skins.googleusercontent.com%2Fig%2Fskin_xml_to_css%3Fv2%3D1%26url%3Dhttp%253A%252F%252Fwww.google.com%252Fig%252Fmodules%252Fapiskins%252Fteahouse.xml%26skindx%3Dix%3A8%26hl%3Den%26fp%3DDNtYX5r8HII&hl=en&uj=stephen%40gmail.com&vp=http%3A%2F%2Fwww.google.co.uk%2Fig%2Ftalk_xpc_blank.html&host=1&zx=g7ysernshr3a#119964604473264759].
