Pale Moon XSS filter info thread

Talk about code development, features, specific bugzilla bugs, enhancements, patches, and other highly technical things.

Moderator: satrow

Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific referenced Bugzilla bugs, mercurial, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Most "bug reports" do not belong in this board and should initially be posted in Community Support or other relevant support boards.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Pale Moon XSS filter info thread

Postby Moonchild » Tue, 26 Jan 2016, 01:17

Note: Pale Moon v27 no longer includes this filter due to issue porting this to the new platform code and lack of availability of the original filter author to assist.

Pale Moon 26 debuts a new security feature: an active XSS (cross-site scripting) filter.

This thread is reserved for feedback given on the XSS filter only. Please keep your posts on-topic.
Please read this post fully before commenting on it. Your question/report may already have been addressed. Thank you!

What is this thing and how do I use it?

The XSS filter blocks pages from getting scripts and content inserted into it from external sources (injection). The focus lies mainly on preventing injection into vulnerable pages through specifically crafted URLs that users are tricked into clicking or using instead of normal URLs (e.g. through phishing e-mails, malicious posted links, etc.), but may also result from using e.g. iframes to load content from different sites.
The filter works in the background while you surf, and should have no noticeable impact on browsing performance.

When the filter finds a potential XSS attack, it will block the content on the page it found to be unsafe and will present you with a warning in a yellow infobar at the top of the page:
xssfilter1.png
xssfilter1.png (1.93 KiB) Viewed 8977 times


On the right side of the bar you'll find some controls to respond to this warning:
xssfilter2.png
xssfilter2.png (2.56 KiB) Viewed 8977 times


  • View unsafe content: Clicking this button will pop up a small window showing you what the filter found as unsafe content. It's always recommended to check this before taking any further action.
  • Add Domain Exception: This button may or may not be present, depending on if a domain is involved in the injection (e.g. external scripts, external objects). Clicking this button will add a permanent exception to the domain the unsafe content is loaded from for all websites, so please make sure the domain is legitimate by inspecting the unsafe content first! After adding the exception, the page will automatically reload.
  • Close button (x): This simply dismisses the infobar and keeps blocked content blocked.

How do I configure this filter?

You can switch the filter off and on in Options:
xssfilter-option.png


The filter has a number of preferences to control it, found in about:config:

  • security.xssfilter.enable: default true -- completely enables or disables the filter. Other options will have no effect if the filter is not enabled (obviously). This is the same as the option shown above.
  • security.xssfilter.blockDynamic: default true -- enables or disables applying the filter to DOM-inserted content (dynamic scripts). This is currently limited to controlling checking for external scripts only. Disabling this will prevent the filter from hitting some potentially benign iframe loads and similar, but also poses a greater risk of the filter not catching malicious injections into pages. It's strongly recommended to always keep this enabled and using the whitelist (see below) instead.
  • security.xssfilter.displayWarning: default true -- enables or disables the display of the warning bar when a potential XSS attack has been found by the filter. If disabled, the offending content will be blocked but the user will not be presented with the warning. To see XSS filter messages in this case, you need to check the error console (listed as information) or the browser console.
  • security.xssfilter.blockMode: default false -- if enabled, the filter will completely prevent the page from loading, and will present a network error instead, explaining why the page wasn't displayed. This blocking mode can also be enabled by the server by sending the appropriate X-Xss-Protection header if they want to strictly enforce XSS filtering.
    Note that by default, the filter will only block the unsafe content found and will allow the page to load otherwise.
  • security.xssfilter.ignoreHeaders: default false -- if enabled, this will ignore X-Xss-Protection headers and always enforce the user's choice. This can be useful if you encounter too many false positives that are completely blocked by the server with their X-Xss-Protection header which would prevent you from viewing the page.
  • security.xssfilter.whitelist: this preference contains a comma-separated list (without whitespace) of domains that are trusted and whose content may always be loaded into other pages. In normal operation, entries to this list are added by using the "Add Domain Exception" button on the infobar.
    You can manually add or remove domains here, or completely clear the whitelist by resetting the preference, restoring the default setting of not allowing exceptions except for those preconfigured by us (based on user feedback when testing). Completely clearing the string and making it empty will refuse all exceptions, including from known trusted domains.
  • security.xssfilter.srcwhitelist: this preference contains a comma-separated list (without whitespace) of domains that are trusted to always load external content in a safe way but omit setting the proper X-Xss-Protection header to disable XSS filters. The difference with the normal whitelist is that this list controls the loading sites, not the loaded content.
  • security.xssfilter.reportOnly: default false -- if enabled, the filter will not actually block anything, but just report potential attacks. This is mainly useful for testing.

How is it different from, e.g., NoScript's XSS filter?

Being in the core of the browser, this filter has access to a number of APIs that extensions will never have available. As a result, it can do more than just inspect requests and block potentially malicious URLs. In this respect it is closer to Chrome's "XSS Auditor" than NoScript and companions in that it can actively compare requests and resulting pages.
Of note also is that the filter does not change requests to servers, which is a main problem for request-filtering protections as they can result in (sometimes severe) web site interaction problems by changing the request to the server. Instead, it filters the resulting page content, blocking unsafe (injected) parts of the page.

What sites have known issues with the filter?
(this will be updated over time as more details become available)

  • PayPal: The log-in page of PayPal will throw up an XSS warning. This is caused by a "pixel" image on that page which loads a JavaScript from an external site. PayPal has already been made aware of this issue but so far proven unresponsive to do anything about it. You can ignore this warning for now and keep the content blocked since it seems to be harmless to do so (and doesn't break logging in), but considering this is a financial institution, we did not want to whitelist the site and disable XSS protection on it; exactly on those kinds of sites it matters to have the filter!




Before you post a new issue, please:

  • Check if someone else has already reported it in this thread. Please prevent duplicate posts, which make keeping things organized harder. Duplicate reports may be removed by moderators.
  • Check if the issue found is specific to this XSS filter feature! If the problem can be reproduced without the filter active, then your report does not belong in this thread.

If you want to discuss specific issues found, you can also do that in this thread, but please make your posts count. Take your time to write more than a single sentence (or 2) and kindly keep "me too" posts out of this thread. Thanks in advance.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

Aelius81
Hobby Astronomer
Hobby Astronomer
Posts: 28
Joined: Fri, 14 Nov 2014, 03:15
Location: Canada

Re: Pale Moon XSS filter info thread

Postby Aelius81 » Wed, 27 Jan 2016, 00:13

I understand this does more than NoScript's XSS feature, but does that mean that I can (or should) disable NoScript's XSS feature entirely?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Wed, 27 Jan 2016, 12:04

Aelius81 wrote:I understand this does more than NoScript's XSS feature, but does that mean that I can (or should) disable NoScript's XSS feature entirely?

You probably should only use one or the other (your choice which). They don't necessarily directly interfere with each other, so leaving both on isn't a disaster, but you may get more false positives or see some website issues.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

Thrawn

Re: Pale Moon XSS filter info thread

Postby Thrawn » Thu, 28 Jan 2016, 01:34

Aelius81 wrote:I understand this does more than NoScript's XSS feature, but does that mean that I can (or should) disable NoScript's XSS feature entirely?

Each filter can theoretically catch things that the other will miss, because they operate differently. However, in practice, the built-in filter should have a much lower rate of false positives, with comparable overall sensitivity, while being slightly slower than NoScript.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sat, 30 Jan 2016, 00:36

Thrawn wrote:while being slightly slower than NoScript.

What do you base this on? Practical tests performed by the XSSFilt author showed absolutely negligible impact on speed.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

threelakeys

Re: Pale Moon XSS filter info thread

Postby threelakeys » Sun, 31 Jan 2016, 19:32

getting filter popup for ebay
also Outlook emails

User avatar
LimboSlam
Board Warrior
Board Warrior
Posts: 1016
Joined: Mon, 09 Jun 2014, 04:43
Location: USA

Re: Pale Moon XSS filter info thread

Postby LimboSlam » Sun, 31 Jan 2016, 22:34

Confirmed for Outlook, not for Ebay as I don't have an account.

This is what I get for Outlook:

External Script

https://fd.rad.msn.com/v3/delivery/DisplayFD?GetSAd=&rafb=2&jsontype=callback&DACSPNID=adbar&jsonp=GETADR&PG=OVT2USEN&PN=MSFT&ID=48AA241F4F29C76FBB69A7EEFFFFFFFF&mkt=en-us&VWS=1&sdkv=3.7&WLV=Read&_=1454279616462

EDIT: Yup it seems to be an malware attack as uBlock Origin just blocked it.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away! :)
God is not punishing you, He is preparing you. Trust His plan, not your pain.#‎TrentShelton #‎RehabTime

User avatar
megaman
Moon Magic practitioner
Moon Magic practitioner
Posts: 2874
Joined: Tue, 30 Aug 2011, 16:40
Location: H-town

Re: Pale Moon XSS filter info thread

Postby megaman » Sun, 31 Jan 2016, 23:11

LimboSlam wrote:Confirmed for Outlook, not for Ebay as I don't have an account.

Right, I reported the Outlook one 17 days ago, but the prompt probably still does the same, it appears and disappears really fast.
Curiosity leads to a world of experiments.

Thrawn

Re: Pale Moon XSS filter info thread

Postby Thrawn » Mon, 01 Feb 2016, 00:04

Moonchild wrote:
Thrawn wrote:while being slightly slower than NoScript.

What do you base this on? Practical tests performed by the XSSFilt author showed absolutely negligible impact on speed.

I base it on the author's own research paper:
NoScript overhead is trivially low, since it only examines one URL per request, unlike XSSFilt and XSSAuditor which have to perform checks for each script contained in the page.
...
[XSSFilt] yields an average overhead of 0.5%, which shows that the overhead is almost negligible when factoring in network latency.

I agree that the overhead of XSSFilt is very small, and should be quite acceptable in practice. I pointed it out mostly in order to explain what tradeoff is being made in order to achieve less false positives with comparable sensitivity.

graveheart

Re: Pale Moon XSS filter info thread

Postby graveheart » Tue, 02 Feb 2016, 16:25

The XSS filter is catching these two so far:

XSS on ebay login:

https://www.paypalobjects.com/webstatic ... .pp.min.js

XSS on paypal login:

https://www.paypalobjects.com/webstatic ... .pp.min.js

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Tue, 02 Feb 2016, 16:33

graveheart wrote:The XSS filter is catching these two so far:

Um.. see the original post of this thread?
Paypalobjects using a script pretending to be an image "pixel" (and apparently having this planted in eBay as well) is a known issue. It seems they are not willing to do anything about this bad practice and it is a correct hit on the filter for how such a filter works.
If you want to explicitly trust "paypalobjects.com" simply add a domain exception. I don't want to do that by default in the browser because, as stated, this is a financial site where this kind of thing should be in order. I'll add this as a preconfigured exception because it seems everything on paypalobjects.com is properly XSS-hardened, and if you find something that isn't, they have a bounty program that will get you a good chunk of money if you report it to them ;)
It can be assumed all content there is safe to be loaded even if correctly hitting the XSS "unwanted behavior" in the filter; if not, it's on them (I went through the proper procedure with them to address this and got the cold shoulder - I guess their js "pixels" are more important).
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Thu, 04 Feb 2016, 19:16

As part of the slated 26.0.3 release needed to fix our cookie gate to allow some "grey area" cookies, I'll also be preconfiguring the XSS filter with a few more domains that should fix:
  • Sites that embed PayPal objects (paypal.com, ebay.com, etc.)
  • The strange "double-jump" embedding employed by some Microsoft services and websites (which occurs on e.g. outlook.com/live.com)

Note: if you want to report specific XSS filter hits, the easiest (and most complete for us) way to do this is to open the browser console (Ctrl+Shift+J) and copy/paste the entry there that lists the XSS filter violation. Please paste all info listed in such a block (URL, type, unsafe content, etc.)
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

Deyeno

Re: Pale Moon XSS filter info thread

Postby Deyeno » Sun, 07 Feb 2016, 10:09

As per a previous request attached is the browser console when I was getting XSS Filter attack messages.

XSS Filter.txt
(82.8 KiB) Downloaded 78 times


Hope this helps.


Cheers ....

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sun, 07 Feb 2016, 11:05

It helps, but please, for the future, only list the entries that start with "XSS violation at URL:"

e.g. from this 80KB file, only the following entry is relevant:

Code: Select all

[16:59:29.249] XSS violation at URL: https://cas.jp.as.criteo.com/delivery/r/afr.php?did=56b7157d5895c4bcbed42debae044bb0&z=VrcVfgACFR8KjxMHAARZgd-DMyvtEZ3G26w1IA&u=%7C4aWt%2BHUeyIegq8tEWQ22q7uOyOtZ7bJ%2BWHFQsvS8YzA%3D%7C&c1=Joq_XkTRkfTyUKe9OsEX3Qr3LMmnXzS74QFt1Hcy523AFI_Z_q7Cb1l6mcYVLGpcVyJ6scW0j4oJ0ljqBzk6Edq1MrbYLZkvJ-GcEwq-VPDWo0kqFCltrgSlFD01q8d80cA5vAM-unyHYNPHdgCEkVcgk0MP0pNmfIxUL7PVCN6UNbdAmxSZo9_ANyVJUoJte-KMPhmgFus&ct0=https://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DCvZ02fhW3Vp-qCIemvASBs5Fw2JXNvwTwr8S-fcCNtwEQASAAYOmCgIDkDYIBF2NhLXB1Yi05MTcyNzAwNTg3MTc1MzMyyAEJqAMBqgR2T9DlWHhmkkGdezg8nklG1-NvSK-z8vGquT-0pj717nn7LnsmytMOlMwWhnJuWzA8hERl1jEMMkUx2yRDRhNWjXf-X32_zU23vPDfZqzinQErYVy9U0gtSeMtNLJEA1QeeshFHe7o9PFDto5mT2zQZXBszopGtIAG6YLzx8WjvqDdAaAGIdgHAA%26num%3D1%26sig%3DAOD64_2jn3y70HPoQdElUsNsqsuFz3gt5Q%26client%3Dca-pub-9172700587175332%26adurl%3D
Type: Event Listener
Unsafe content: frames['ifc827818654'].location.href='https://adclick.g.doubleclick.net/aclk?sa=L&ai=CvZ02fhW3Vp-qCIemvASBs5Fw2JXNvwTwr8S-fcCNtwEQASAAYOmCgIDkDYIBF2NhLXB1Yi05MTcyNzAwNTg3MTc1MzMyyAEJqAMBqgR2T9DlWHhmkkGdezg8nklG1-NvSK-z8vGquT-0pj717nn7LnsmytMOlMwWhnJuWzA8hERl1jEMMkUx2yRDRhNWjXf-X32_zU23vPDfZqzinQErYVy9U0gtSeMtNLJEA1QeeshFHe7o9PFDto5mT2zQZXBszopGtIAG6YLzx8WjvqDdAaAGIdgHAA&num=1&sig=AOD64_2jn3y70HPoQdElUsNsqsuFz3gt5Q&client=ca-pub-9172700587175332&adurl=https://static.criteo.net/empty.html'
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

dark_moon

Re: Pale Moon XSS filter info thread

Postby dark_moon » Fri, 12 Feb 2016, 23:43

Today i use the Microsoft Bing translator (http://www.bing.com/translator?FORM=HDRSC7) and for any site, even with http://www.palemoon.org i get an XSS info.
Directlink: http://www.microsofttranslator.com/bv.a ... oon.org%2F

Is this realy a XSS match?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sat, 13 Feb 2016, 01:34

Note: if you want to report specific XSS filter hits, the easiest (and most complete for us) way to do this is to open the browser console (Ctrl+Shift+J) and copy/paste the entry there that lists the XSS filter violation. Please paste all info listed in such a block (URL, type, unsafe content, etc.)
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21192
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sat, 13 Feb 2016, 01:51

Microsoft translator loads a modified version of the site you translated that includes an injected base tag and an injected javascript section before the actual page content. This looks fine in this case but considering the URL to load the frame is directly echoed in the resulting loaded document it is a positive match for the XSS filter.

This likely falls into the same category as googleusercontent -- I've sent the Microsoft team a note that they are forgetting to set their X-Xss-Protection: header on the translator. Since they use a cluster of raw IPs, there's no way to whitelist the involved domains.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

jrfnl

Re: Pale Moon XSS filter info thread

Postby jrfnl » Wed, 17 Feb 2016, 00:37

Hi,

Could someone explain to me why the following code triggers the XSS / Base Element filter ? Been trying to figure it out, but so far no luck. Could this be a false positive ?

Code: Select all

<a aria-label="Follow &#34;jrfnl on GitHub" data-style="mega" href="https://github.com/jrfnl" class="github-button">Follow @jrfnl</a>

yetanother1

Re: Pale Moon XSS filter info thread

Postby yetanother1 » Fri, 19 Feb 2016, 15:54

I am consistently getting false positives when I attempt to make a Visa or Mastercard purchase on the UK site www.screwfix.com which is a large UK trade/DIY company. I cannot send detailed information yet as I only just discovered this forum and obviously can only test it when I attempt a purchase. The site attempts to open Flash and probably some javascript on the authentication page. I only use this site occasionally and have not yet had problems with cards on other UK sites, but it is early days.
I would like to see an option directly on the XSS warning that allows me to temporarily ignore and retry.

User avatar
RobRoy1947
Newbie
Newbie
Posts: 6
Joined: Tue, 20 May 2014, 22:39
Location: Republic of Texas

Re: Pale Moon XSS filter info thread

Postby RobRoy1947 » Sat, 20 Feb 2016, 17:44

I am consistently getting 95% false positives on the Ixquick search engine using image searches. I've been using the Ixquick search engine exclusively for 16 years without XSS or any other issues. I have disabled the XXS filter.

Rob
_


Return to “Development (discussion)”

Who is online

Users browsing this forum: AhrefsBot [Crawler] and 1 guest