XSS Filter Messages
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
XSS Filter Messages
Dear All.
Does anyone know what is causing these XSS Messages as I am getting on average 20 messages aday and its very annoying as clicking on the X in the yellow ribbon doesnt close the message but rather I have to reload the page again.
This has only started after upgrading to Palemoon 26.X.X.
I get these messages in while surfing in the following URL's as these are always open in my browser.
http://www.stuff.co.nz/sport
http://www.sportsfan.com.au/
http://www.practicalmachinist.com/vb/cnc-machining/
http://www.news.com.au/
Does anyone know what is causing these XSS Messages as I am getting on average 20 messages aday and its very annoying as clicking on the X in the yellow ribbon doesnt close the message but rather I have to reload the page again.
This has only started after upgrading to Palemoon 26.X.X.
I get these messages in while surfing in the following URL's as these are always open in my browser.
http://www.stuff.co.nz/sport
http://www.sportsfan.com.au/
http://www.practicalmachinist.com/vb/cnc-machining/
http://www.news.com.au/
You do not have the required permissions to view the files attached to this post.
Re: XSS Filter Messages
See the last post and reply there: viewtopic.php?f=5&t=10817
Funny thing, I don't get those XSS messages on any of these sites, especially the first one after going to exact same location, even without an adblocker.
Funny thing, I don't get those XSS messages on any of these sites, especially the first one after going to exact same location, even without an adblocker.
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: XSS Filter Messages
Doubleclick and possibly some other ad networks will likely need to be added to the source whitelist in the future, dependign on how their advertising framework works.
I don't know exactly why an advertisement would want to add an event listener in their loaded ads though, that sounds a little dodgy to me.
Please do post the browser console messages as outlined so we have all necessary information.
I don't know exactly why an advertisement would want to add an event listener in their loaded ads though, that sounds a little dodgy to me.
Please do post the browser console messages as outlined so we have all necessary information.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Knows the dark side
- Posts: 4279
- Joined: 2015-10-06, 16:59
- Location: Los Angeles CA USA
Re: XSS Filter Messages
I haven't as yet updated to 26.0.3 (still on 26.0.2) but after reading this I have some concerns.
POINTS:
1) I would not want to have to "whitelist" Doubleclick or for that matter any other "ad networks" in the form of a workaround (I currently block these types of sites via NoScript)
2) As pointed out above I use NoScript which already applies XSS filtering anyway (and I've found this to be not only complicated in the first place but adjustments in NoScript SSL filtering for some banks I need were necessary as it is).
QUESTIONS: So considering that 26.0.3 has changed the XSS filter configuration to address filter hits in a different manner:
1) Should I or more precisely DO I really want to go with this new update (considering that my NoScript add-on already has XSS filtering included anyway)?
2) Or would it be better to wait for another PM update?
I'm far from an expert on this stuff so I may be asking stupid questions.
EDIT: Never mind my questions above, after looking into further, XSS filtering in place as of v26 anyway and current version is improving web compatibility and more specifically reconfiging XSS filter to address some of the known but harmless filter hits that have been reported. So no brainer to update!!!
POINTS:
1) I would not want to have to "whitelist" Doubleclick or for that matter any other "ad networks" in the form of a workaround (I currently block these types of sites via NoScript)
2) As pointed out above I use NoScript which already applies XSS filtering anyway (and I've found this to be not only complicated in the first place but adjustments in NoScript SSL filtering for some banks I need were necessary as it is).
1) Should I or more precisely DO I really want to go with this new update (considering that my NoScript add-on already has XSS filtering included anyway)?
2) Or would it be better to wait for another PM update?
I'm far from an expert on this stuff so I may be asking stupid questions.
EDIT: Never mind my questions above, after looking into further, XSS filtering in place as of v26 anyway and current version is improving web compatibility and more specifically reconfiging XSS filter to address some of the known but harmless filter hits that have been reported. So no brainer to update!!!
Last edited by Pallid Planetoid on 2016-02-07, 02:46, edited 1 time in total.
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising
Re: XSS Filter Messages
I agree with Pale Moon Rising.
Include one of the big bad adtracker in the whitelist isn't a good idea.
Doubleclick distributed a lot of malware in their ads.
@Pale Moon Rising: You can and its recomment to use always the latest version of Pale Moon.
I use NoScript since and before i use Pale Moon and never have any problems. Not even in the long beta testing with the XSS in Pale Moon.
Include one of the big bad adtracker in the whitelist isn't a good idea.
Doubleclick distributed a lot of malware in their ads.
@Pale Moon Rising: You can and its recomment to use always the latest version of Pale Moon.
I use NoScript since and before i use Pale Moon and never have any problems. Not even in the long beta testing with the XSS in Pale Moon.
-
- Knows the dark side
- Posts: 4279
- Joined: 2015-10-06, 16:59
- Location: Los Angeles CA USA
Re: XSS Filter Messages
Thanks for the info dark_moon, good to know there's been no conflict between NoScript XSS filtering and Pale Moon's XSS filtering including going forward in beta.
I've taken the time to catch-up, XSS filtering has been in use by PM since v26, all the current version is intended to do is improve web compatibility with both cookies and XSS filtering, so all is good .... Have updated to current Pale Moon.
I've taken the time to catch-up, XSS filtering has been in use by PM since v26, all the current version is intended to do is improve web compatibility with both cookies and XSS filtering, so all is good .... Have updated to current Pale Moon.
Last edited by Pallid Planetoid on 2016-02-08, 01:53, edited 1 time in total.
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising
Re: XSS Filter Messages
I'm sure it is dodgy. NoScript's XSS filter has run into various ad networks before that assemble pages in messy ways. I guess it's not so surprising, when advertisers want to insert markup into the page, and webmasters are in need of funds, that they take shortcuts.Moonchild wrote:I don't know exactly why an advertisement would want to add an event listener in their loaded ads though, that sounds a little dodgy to me.
Whether the page really is vulnerable - that would depend on the specific page, but it's very possible.