InformAction Forums

Our organization runs Microsoft Office 365, and we have our onsite Active Directory federated to the Office365 cloud using ADFS on Windows Server 2008R2. Recently the XSS click-jack protection has activated when I try to click on the various modules with the Office365 administrative functions. For example when I log into the administrative page portal.microsoftonline.com (which gives me access my admin options) and then click on the subservices available under that portal, that is when the XSS protection activates. The login to the subservices contacts the onsite server to check on the SAML token and it is blocked.

I would like to create rules excepting microsoftonline.com and outlook.com (where the cloud email is) from XSS and additonally my ADFS servers (FQDN of my host). Creating those expressions doesn't seem very self explanatory though. Where can I get some help with this?

I could help if you can post here some samples of [NoScript XSS] message you can find in your Error Console (ctrl+shift+J)?

I changed my username to firstname.lastname rather than the actual address @our domain. I guess since we're government anyways it doesn't matter if our domain is floating around out there.

[NoScript InjectionChecker] JavaScript Injection in ##<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/t ... su:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ ... su:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ ... :AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/p ... tReference xmlns:wsa="http://www.w3.org/2005/08/addressing">< ... :Assertion MajorVersion="1" MinorVersion="1" AssertionID="_67f2392f-cf21-4623-9504-664813925148" Issuer="http://sts.thecb.state.tx.us/adfs/services/trust" IssueInstant="2012-07-30T14:51:35.737Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2012-07-30T14:51:35.737Z" NotOnOrAfter="2012-07-30T15:51:35.737Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KLl9n4Rv50CNSzNDbWbADw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><sam ... :Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Fed ... nStatement AuthenticationMethod="urn:federation:authentication:windows" AuthenticationInstant="2012-07-30T14:51:35.674Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KLl9n4Rv50CNSzNDbWbADw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds ... tionMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ... tureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-s ... :Reference URI="#_67f2392f-cf21-4623-9504-664813925148"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envel ... :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ... gestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" ... o><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X5 ... enResponse>


[NoScript XSS] Sanitized suspicious upload to [https://login.microsoftonline.com/login ... esponse%3E] from [https://sts.thecb.state.tx.us/adfs/ls/a ... 1343659030]: transformed into a download-only GET request.

Try the latest development build & see if that fixes the problem for you.

therube wrote:Try the latest development build & see if that fixes the problem for you.

Yeah, that worked. Thanks!!