(Moved this here from NoScript General forum. This appears to be the more correct forum to use for a question like this.)
Hello,
I receive a few weekly email newsletters from nytimes.com. Many links they publish (to their articles and blogs) work; many others are blocked by NoScript and require "unsafe reload."
These are the only such errors I have been fortunate to encounter in my normal activities.
The notification bar says "NoScript filtered a potential cross-site scription (XSS) attempt from [chrome:]...."
The console shows what appear to be two relevant messages. I've copied them below, but have replaced the user_id value in them with the word REDACTED in both cases.
followed by:
The only change I spot in the sanitized URL is the parameters location has been uppercased to LOCATION.
nytimes.com is in my whitelist but I guess that's not sufficient. I am not sure what I could add to the XSS exceptions to avoid this problem.
Thank you very much for your assistance.
Hello,
I receive a few weekly email newsletters from nytimes.com. Many links they publish (to their articles and blogs) work; many others are blocked by NoScript and require "unsafe reload."
These are the only such errors I have been fortunate to encounter in my normal activities.
The notification bar says "NoScript filtered a potential cross-site scription (XSS) attempt from [chrome:]...."
The console shows what appear to be two relevant messages. I've copied them below, but have replaced the user_id value in them with the word REDACTED in both cases.
- [NoScript InjectionChecker] JavaScript Injection in ///email/re?location=YFuu/A194QFuPUMwQFW5xOksO0XG6+ko8sqHbf0/emAZa9e4q2DBINFtfLjCULBf52OIidBq7TpJkmW4DTUgz6IQzPiyWlcXH611F95GgUO0R2+axH+4FOuvfwpNeWpyJzPIG6VUsk4=&campaign_id=27&instance_id=25869&segment_id=43453&user_id=REDACTED
(function anonymous() {
location=YFuu/A194QFuPUMwQFW5xOksO0XG6+ko8sqHbf0 /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
followed by:
- [NoScript XSS] Sanitized suspicious request. Original URL [http://p.nytimes.com/email/re?location=YFuu/A194QFuPUMwQFW5xOksO0XG6+ko8sqHbf0/emAZa9e4q2DBINFtfLjCULBf52OIidBq7TpJkmW4DTUgz6IQzPiyWlcXH611F95GgUO0R2+axH+4FOuvfwpNeWpyJzPIG6VUsk4=&campaign_id=27&instance_id=25869&segment_id=43453&user_id=REDACTED] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://p.nytimes.com/email/re?LOCATION=YFuu/A194QFuPUMwQFW5xOksO0XG6+ko8sqHbf0/emAZa9e4q2DBINFtfLjCULBf52OIidBq7TpJkmW4DTUgz6IQzPiyWlcXH611F95GgUO0R2+axH+4FOuvfwpNeWpyJzPIG6VUsk4=&campaign_id=27&instance_id=25869&segment_id=43453&user_id=REDACTED].
The only change I spot in the sanitized URL is the parameters location has been uppercased to LOCATION.
nytimes.com is in my whitelist but I guess that's not sufficient. I am not sure what I could add to the XSS exceptions to avoid this problem.
Thank you very much for your assistance.