Thank you very much for the sophisticated and helpful noscript addon, which are a lot of friends using.
I have a concern with the XSS feature.When i use the OpenID Connect specification for Authentication http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
with a scope parameter with multiple scopes separated by spaces icluding openid, I get an XSS warning.
For example on the page https://oauth-python-sample.g10f.de/oauth2/login/ there is a link to login with google:
https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6InlWTGQ1cWpzWGdPRCIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com
The console log contains something like this:
The openid value is changed to OPENid ??
Perhaps because "open" in the context of the browser opens a window?
I think it would be nice,if noscript does not warn if a request is complete aligned with the openid connect specification, which is the most important authentication specification for the web.
With best regards
Gunnar
I have a concern with the XSS feature.When i use the OpenID Connect specification for Authentication http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
with a scope parameter with multiple scopes separated by spaces icluding openid, I get an XSS warning.
For example on the page https://oauth-python-sample.g10f.de/oauth2/login/ there is a link to login with google:
https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6InlWTGQ1cWpzWGdPRCIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com
The console log contains something like this:
- [NoScript InjectionChecker] JavaScript Injection in ///o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https://oauth-python-sample.g10f.de/oauth2/login/&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com
(function anonymous() {
scope=openid+profile+email /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com] angefordert von [https://oauth-python-sample.g10f.de/oauth2/login/]. Bereinigte URL: [https://accounts.google.com/o/oauth2/auth?scope=OPENid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com#7047993740878138766].
The openid value is changed to OPENid ??
Perhaps because "open" in the context of the browser opens a window?
I think it would be nice,if noscript does not warn if a request is complete aligned with the openid connect specification, which is the most important authentication specification for the web.
With best regards
Gunnar