Hello,
I am using NoScript 2.6.8.13 with Firefox 26.0.
Have you ever considered allowing a configuration option for NoScript that would cause it to not block or trigger on well formatted and schema compliant SAML2 HTTP POST binding messages being transmitted from one site (a SAML2 identity provider or IdP) to a second site (a SAML2 service provider or SP)?
Right now the communication by HTTP POST binding of the SAML2 XML assertion from IdP to SP is being flagged as an XSS exploit. For example:
[NoScript XSS] Sanitized suspicious upload to
[https://service.site01.com/Shibboleth.sso/SAML2/POST]
from
[https://login.site02.com/idp/profile/SAML2/Redirect/SSO]:
transformed into a download-only GET request.
While I could whitelist those sites, since the SAML2 federation within which I operate is large with more than 300 IdPs or login providers and more than 1000 SPs or sites it is awkward to continually have to whitelist (and ask my users to do so).
Since a schema compliant SAML2 XML payload is straightforward to detect perhaps NoScript could not trigger on these types of single sign-on (SSO) flows?
I am using NoScript 2.6.8.13 with Firefox 26.0.
Have you ever considered allowing a configuration option for NoScript that would cause it to not block or trigger on well formatted and schema compliant SAML2 HTTP POST binding messages being transmitted from one site (a SAML2 identity provider or IdP) to a second site (a SAML2 service provider or SP)?
Right now the communication by HTTP POST binding of the SAML2 XML assertion from IdP to SP is being flagged as an XSS exploit. For example:
[NoScript XSS] Sanitized suspicious upload to
[https://service.site01.com/Shibboleth.sso/SAML2/POST]
from
[https://login.site02.com/idp/profile/SAML2/Redirect/SSO]:
transformed into a download-only GET request.
While I could whitelist those sites, since the SAML2 federation within which I operate is large with more than 300 IdPs or login providers and more than 1000 SPs or sites it is awkward to continually have to whitelist (and ask my users to do so).
Since a schema compliant SAML2 XML payload is straightforward to detect perhaps NoScript could not trigger on these types of single sign-on (SSO) flows?