NoScript breaks Yahoo Mail slideshow functionality

[Morac]

Yahoo Mail has a feature which allows the user to view attached photos as a slideshow in the browser. I noticed this feature disappeared recently, leaving only the option to download photo attachments.

I tracked the problem down to NoScript which is blocking Yahoo Mail from accessing one of it's own servers:

Code: Select all

Blocking reflected script inclusion origin XSS: http://mail.yimg.com/zz/combo?nq/3059/yui/yui-min.js&nq/3059/oop/oop-min.js&nq/3059/dom/dom-min.js&nq/3059/event/event-min.js&nq/3059/event-custom/event-custom-min.js&nq/3059/base/base-base-min.js&nq/3059/plugin/plugin-min.js&nq/3059/pluginhost/pluginhost-min.js&nq/3059/node/node-min.js&nq/3059/attribute/attribute-min.js&nq/3059/json/json-min.js&nq/3059/intl/intl-min.js&nq/3059/datatype/lang/datatype-date.js&nq/3059/datatype/datatype-date-min.js&nq/3059/datatype/datatype-xml-min.js&nq/3059/cookie/cookie-min.js&nq/3059/async-queue/async-queue-min.js&nq/3059/collection/array-extras-min.js&nq/3059/querystring/querystring-parse-simple-min.js&nq/3059/querystring/querystring-stringify-simple-min.js&nq/3059/loader/loader-min.js from http://36ohk6dgmcd1n.yom.mail.yahoo.net/om/api/1.0/openmail.app.invoke/36ohk6dgmcd1n/8/1.0.35/us/en-US/controller.html#bn=1.0.35&.lang=en-US&.intl=us&rtl=0&proxyhost=us.mg1.mail.yahoo.com&sig=625b3ba8fb377236e61474f58ef9ac52&vid=om_default_view_id_36ohk6dgmcd1n-load&app=36ohk6dgmcd1n&mailver=neo&mailyuiurl=http://mail.yimg.com/zz/combo?nq/3059/yui/yui-min.js&nq/3059/oop/oop-min.js&nq/3059/dom/dom-min.js&nq/3059/event/event-min.js&nq/3059/event-custom/event-custom-min.js&nq/3059/base/base-base-min.js&nq/3059/plugin/plugin-min.js&nq/3059/pluginhost/pluginhost-min.js&nq/3059/node/node-min.js&nq/3059/attribute/attribute-min.js&nq/3059/json/json-min.js&nq/3059/intl/intl-min.js&nq/3059/datatype/lang/datatype-date.js&nq/3059/datatype/datatype-date-min.js&nq/3059/datatype/datatype-xml-min.js&nq/3059/cookie/cookie-min.js&nq/3059/async-queue/async-queue-min.js&nq/3059/collection/array-extras-min.js&nq/3059/querystring/querystring-parse-simple-min.js&nq/3059/querystring/querystring-stringify-simple-min.js&nq/3059/loader/loader-min.js&mailbase=http://mail.yimg.com/nq/3059/&mailsuffix=-min.js&mailcombobase=http://mail.yimg.com/zz/combo?&mailloaderpath=loader/loader-min.js&mailmoduleroot=nq/3059/&crumb=7MHg7DYtbuh&cb=1320279775066

I tried adding an XSS exclusion for "^http://mail.yimg.com/", but that's not working.

Even unchecking both options in the advanced XSS options doesn't work, nor does allowing global scripts. I keep getting the above message in the error console unless I disable NoScript. I'm running version 2.1.8rc3.

[Morac]

Okay I found a "fix", but I actually had to dig into the code to figure out what to do.

I set the "noscript.xss.checkInclusions.exceptions" preference to "^http://mail.yimg.com/" and that got things working. Really though, from a user standpoint I shouldn't have had to do that. Adding the entry to the XSS exclusions page should have been enough.