Getting spurious clickjacks from http://news.yahoo.com

[MacMcF]

I have got clickjack warnings twice today on two different news stories at http://news.yahoo.com. The last was for http://news.yahoo.com/maine-sen-olympia ... -news.html . I'm pretty sure that they are bogus.

[therube]

So you are on the news.yahoo.com web page, & on there is the link, http://news.yahoo.com/maine-sen-olympia-snowe-retire-222150775--abc-news.html, & clicking that generated then the Clickjacking warning?

Can you copy that warning from the Error Console & post it here.

What version of NoScript are you running?


When you are on yahoo.com, what domains show as allowed?
Running any other "blocking" softwares/extensions?

[GµårÐïåñ]

Don't be so sure but it would be more helpful to validate if they are "bogus" if you actually use the report button, provide the report number so we can find out why its happening. Chances are always HIGH that they are legitimate despite what it might seem.

[joea64]

I have also been getting spurious XSS reports when I click on many Yahoo! News links. I'm positive these links are safe, as I never had any trouble from NoScript when accessing those links on my old system (using Windows XP Pro with older versions of Firefox and NoScript). This is occuring on my new machine with Windows 7 HP Service Pack 1, and the newest available versions of both Firefox and NoScript. I'll try accessing one of those malfunctioning links again and submit a report so you can see what's going on. I'm no sort of expert but my own guess is that something in Yahoo's scripting doesn't like something in the new version of NoScript, or vice versa, and is returning clickjacking results that shouldn't be.

EDIT: I can't find the report button so I'm pasting the information message from the XSS console here:

[NoScript XSS] Sanitized suspicious request. Original URL [http://us.lrd.yahoo.com/_ylt=AqY8DcU1_. ... 6en70gOYE-] requested from [http://my.yahoo.com/]. Sanitized URL: [http://us.lrd.yahoo.com/_ylt%20AqY8DcU1 ... 8694172907].

Also, here's an error message I found in the XSS console though I don't know if it's connected to the immediate problem:

Error: uncaught exception: [Exception... "Component returned failure code: 0x805e0006 [nsIDOMLocation.replace]" nsresult: "0x805e0006 (<unknown>)" location: "JS frame :: http://l.yimg.com/a/lib/darla/util_0.2.6.js :: <TOP_LEVEL> :: line 1" data: no]

Apparently what's going on is that NoScript is being a little too zealous about sanitizing some URL's from news.yahoo.com. I'm using NoScript 2.3.2 as an add-on to Firefox 10.0.2.

The maddening thing is that this problem is inconsistent. I just clicked on this Yahoo! News link:

http://news.yahoo.com/romney-gains-stre ... 05921.html

and the page loaded without any issues or problems.

[DJ-Leith]

@joea64

Have you tried the most recent NoScript build (2.3.3rc2) [04 March 2012 21:28]?

NoScript Updates
Recent all builds from noscript.net
http://noscript.net/feed?c=200&t=a

I have bookmarked the "Recent all builds ..." feed and find it very useful.
I use it to keep each profile updated (using the linked XPIs).

Code: Select all

NoScript Updates
        
Recent all builds from noscript.net
NoScript 2.3.3rc2
04 March 2012 21:28
x [XSS] Better compatibility with some 3rd party ads on Ebay

NoScript 2.3.3rc1
03 March 2012 22:34
x [XSS] Fixed false positive on dotted name-value assignments chained with
  semicolons (e.g. on some Yahoo-served ads)

Only asking because I think yahoo have been making changes.
See also trouble with my.yahoo.com http://forums.informaction.com/viewtopi ... 0&start=15

DJ-Leith

[MacMcF]

I misspoke: They are XSS errors. Today I got an XSS error from //my.yahoo.com. The error console showed:

[NoScript XSS] Sanitized suspicious request. Original URL [http://us.lrd.yahoo.com/_ylt=AufytOP9PR ... Lj_2XOIqM-] requested from [http://my.yahoo.com/]. Sanitized URL: [http://us.lrd.yahoo.com/_ylt%20AufytOP9 ... 3366986714].

None of this means anything to me. This error occurs frequently of late in attempting to read news stories from my Yahoo! home page.

[DJ-Leith]

@MacMcF

Have you tried the latest version of NoScript (2.3.3rc3 as I write)?
See my post (above, Mon Mar 05, 2012 2:41 pm).

DJ-Leith

[GµårÐïåñ]

For XSS issues, you should have used a different post as this was relating specifically to ClickJacking notices. Mixing topics is not a good idea as it makes it hard to support both OP without mixing the issues. Next time please open your own thread specific to the issue you are having and not hijack another thread relating to something else.