Pale Moon XSS filter info thread

Talk about code development, features, specific bugzilla bugs, enhancements, patches, and other highly technical things.

Moderators: satrow, Indalecio

Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific referenced Bugzilla bugs, mercurial, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Most "bug reports" do not belong in this board and should initially be posted in Community Support or other relevant support boards.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Pale Moon XSS filter info thread

Postby Moonchild » Tue Jan 26, 2016 1:17 am

Note: Pale Moon v27 no longer includes this filter due to issue porting this to the new platform code and lack of availability of the original filter author to assist.

Pale Moon 26 debuts a new security feature: an active XSS (cross-site scripting) filter.

This thread is reserved for feedback given on the XSS filter only. Please keep your posts on-topic.
Please read this post fully before commenting on it. Your question/report may already have been addressed. Thank you!

What is this thing and how do I use it?

The XSS filter blocks pages from getting scripts and content inserted into it from external sources (injection). The focus lies mainly on preventing injection into vulnerable pages through specifically crafted URLs that users are tricked into clicking or using instead of normal URLs (e.g. through phishing e-mails, malicious posted links, etc.), but may also result from using e.g. iframes to load content from different sites.
The filter works in the background while you surf, and should have no noticeable impact on browsing performance.

When the filter finds a potential XSS attack, it will block the content on the page it found to be unsafe and will present you with a warning in a yellow infobar at the top of the page:
xssfilter1.png
xssfilter1.png (1.93 KiB) Viewed 6793 times


On the right side of the bar you'll find some controls to respond to this warning:
xssfilter2.png
xssfilter2.png (2.56 KiB) Viewed 6793 times


  • View unsafe content: Clicking this button will pop up a small window showing you what the filter found as unsafe content. It's always recommended to check this before taking any further action.
  • Add Domain Exception: This button may or may not be present, depending on if a domain is involved in the injection (e.g. external scripts, external objects). Clicking this button will add a permanent exception to the domain the unsafe content is loaded from for all websites, so please make sure the domain is legitimate by inspecting the unsafe content first! After adding the exception, the page will automatically reload.
  • Close button (x): This simply dismisses the infobar and keeps blocked content blocked.

How do I configure this filter?

You can switch the filter off and on in Options:
xssfilter-option.png


The filter has a number of preferences to control it, found in about:config:

  • security.xssfilter.enable: default true -- completely enables or disables the filter. Other options will have no effect if the filter is not enabled (obviously). This is the same as the option shown above.
  • security.xssfilter.blockDynamic: default true -- enables or disables applying the filter to DOM-inserted content (dynamic scripts). This is currently limited to controlling checking for external scripts only. Disabling this will prevent the filter from hitting some potentially benign iframe loads and similar, but also poses a greater risk of the filter not catching malicious injections into pages. It's strongly recommended to always keep this enabled and using the whitelist (see below) instead.
  • security.xssfilter.displayWarning: default true -- enables or disables the display of the warning bar when a potential XSS attack has been found by the filter. If disabled, the offending content will be blocked but the user will not be presented with the warning. To see XSS filter messages in this case, you need to check the error console (listed as information) or the browser console.
  • security.xssfilter.blockMode: default false -- if enabled, the filter will completely prevent the page from loading, and will present a network error instead, explaining why the page wasn't displayed. This blocking mode can also be enabled by the server by sending the appropriate X-Xss-Protection header if they want to strictly enforce XSS filtering.
    Note that by default, the filter will only block the unsafe content found and will allow the page to load otherwise.
  • security.xssfilter.ignoreHeaders: default false -- if enabled, this will ignore X-Xss-Protection headers and always enforce the user's choice. This can be useful if you encounter too many false positives that are completely blocked by the server with their X-Xss-Protection header which would prevent you from viewing the page.
  • security.xssfilter.whitelist: this preference contains a comma-separated list (without whitespace) of domains that are trusted and whose content may always be loaded into other pages. In normal operation, entries to this list are added by using the "Add Domain Exception" button on the infobar.
    You can manually add or remove domains here, or completely clear the whitelist by resetting the preference, restoring the default setting of not allowing exceptions except for those preconfigured by us (based on user feedback when testing). Completely clearing the string and making it empty will refuse all exceptions, including from known trusted domains.
  • security.xssfilter.srcwhitelist: this preference contains a comma-separated list (without whitespace) of domains that are trusted to always load external content in a safe way but omit setting the proper X-Xss-Protection header to disable XSS filters. The difference with the normal whitelist is that this list controls the loading sites, not the loaded content.
  • security.xssfilter.reportOnly: default false -- if enabled, the filter will not actually block anything, but just report potential attacks. This is mainly useful for testing.

How is it different from, e.g., NoScript's XSS filter?

Being in the core of the browser, this filter has access to a number of APIs that extensions will never have available. As a result, it can do more than just inspect requests and block potentially malicious URLs. In this respect it is closer to Chrome's "XSS Auditor" than NoScript and companions in that it can actively compare requests and resulting pages.
Of note also is that the filter does not change requests to servers, which is a main problem for request-filtering protections as they can result in (sometimes severe) web site interaction problems by changing the request to the server. Instead, it filters the resulting page content, blocking unsafe (injected) parts of the page.

What sites have known issues with the filter?
(this will be updated over time as more details become available)

  • PayPal: The log-in page of PayPal will throw up an XSS warning. This is caused by a "pixel" image on that page which loads a JavaScript from an external site. PayPal has already been made aware of this issue but so far proven unresponsive to do anything about it. You can ignore this warning for now and keep the content blocked since it seems to be harmless to do so (and doesn't break logging in), but considering this is a financial institution, we did not want to whitelist the site and disable XSS protection on it; exactly on those kinds of sites it matters to have the filter!




Before you post a new issue, please:

  • Check if someone else has already reported it in this thread. Please prevent duplicate posts, which make keeping things organized harder. Duplicate reports may be removed by moderators.
  • Check if the issue found is specific to this XSS filter feature! If the problem can be reproduced without the filter active, then your report does not belong in this thread.

If you want to discuss specific issues found, you can also do that in this thread, but please make your posts count. Take your time to write more than a single sentence (or 2) and kindly keep "me too" posts out of this thread. Thanks in advance.
Programmer - an organism that turns coffee into software.
Image

Aelius81
Hobby Astronomer
Hobby Astronomer
Posts: 28
Joined: Fri Nov 14, 2014 3:15 am
Location: Canada

Re: Pale Moon XSS filter info thread

Postby Aelius81 » Wed Jan 27, 2016 12:13 am

I understand this does more than NoScript's XSS feature, but does that mean that I can (or should) disable NoScript's XSS feature entirely?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Wed Jan 27, 2016 12:04 pm

Aelius81 wrote:I understand this does more than NoScript's XSS feature, but does that mean that I can (or should) disable NoScript's XSS feature entirely?

You probably should only use one or the other (your choice which). They don't necessarily directly interfere with each other, so leaving both on isn't a disaster, but you may get more false positives or see some website issues.
Programmer - an organism that turns coffee into software.
Image

Thrawn

Re: Pale Moon XSS filter info thread

Postby Thrawn » Thu Jan 28, 2016 1:34 am

Aelius81 wrote:I understand this does more than NoScript's XSS feature, but does that mean that I can (or should) disable NoScript's XSS feature entirely?

Each filter can theoretically catch things that the other will miss, because they operate differently. However, in practice, the built-in filter should have a much lower rate of false positives, with comparable overall sensitivity, while being slightly slower than NoScript.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sat Jan 30, 2016 12:36 am

Thrawn wrote:while being slightly slower than NoScript.

What do you base this on? Practical tests performed by the XSSFilt author showed absolutely negligible impact on speed.
Programmer - an organism that turns coffee into software.
Image

threelakeys
New to the forum
New to the forum
Posts: 1
Joined: Sun Jan 31, 2016 7:25 pm

Re: Pale Moon XSS filter info thread

Postby threelakeys » Sun Jan 31, 2016 7:32 pm

getting filter popup for ebay
also Outlook emails

User avatar
LimboSlam
Astronaut
Astronaut
Posts: 923
Joined: Mon Jun 09, 2014 4:43 am
Location: USA

Re: Pale Moon XSS filter info thread

Postby LimboSlam » Sun Jan 31, 2016 10:34 pm

Confirmed for Outlook, not for Ebay as I don't have an account.

This is what I get for Outlook:

External Script

https://fd.rad.msn.com/v3/delivery/DisplayFD?GetSAd=&rafb=2&jsontype=callback&DACSPNID=adbar&jsonp=GETADR&PG=OVT2USEN&PN=MSFT&ID=48AA241F4F29C76FBB69A7EEFFFFFFFF&mkt=en-us&VWS=1&sdkv=3.7&WLV=Read&_=1454279616462

EDIT: Yup it seems to be an malware attack as uBlock Origin just blocked it.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away! :)
God is not punishing you, He is preparing you. Trust His plan, not your pain.#‎TrentShelton #‎RehabTime

User avatar
megaman
Knows the dark side
Knows the dark side
Posts: 2769
Joined: Tue Aug 30, 2011 4:40 pm
Location: H-town
Contact:

Re: Pale Moon XSS filter info thread

Postby megaman » Sun Jan 31, 2016 11:11 pm

LimboSlam wrote:Confirmed for Outlook, not for Ebay as I don't have an account.

Right, I reported the Outlook one 17 days ago, but the prompt probably still does the same, it appears and disappears really fast.
Curiosity leads to a world of experiments.

Thrawn

Re: Pale Moon XSS filter info thread

Postby Thrawn » Mon Feb 01, 2016 12:04 am

Moonchild wrote:
Thrawn wrote:while being slightly slower than NoScript.

What do you base this on? Practical tests performed by the XSSFilt author showed absolutely negligible impact on speed.

I base it on the author's own research paper:
NoScript overhead is trivially low, since it only examines one URL per request, unlike XSSFilt and XSSAuditor which have to perform checks for each script contained in the page.
...
[XSSFilt] yields an average overhead of 0.5%, which shows that the overhead is almost negligible when factoring in network latency.

I agree that the overhead of XSSFilt is very small, and should be quite acceptable in practice. I pointed it out mostly in order to explain what tradeoff is being made in order to achieve less false positives with comparable sensitivity.

graveheart
New to the forum
New to the forum
Posts: 1
Joined: Tue Feb 02, 2016 4:19 pm

Re: Pale Moon XSS filter info thread

Postby graveheart » Tue Feb 02, 2016 4:25 pm

The XSS filter is catching these two so far:

XSS on ebay login:

https://www.paypalobjects.com/webstatic ... .pp.min.js

XSS on paypal login:

https://www.paypalobjects.com/webstatic ... .pp.min.js

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Tue Feb 02, 2016 4:33 pm

graveheart wrote:The XSS filter is catching these two so far:

Um.. see the original post of this thread?
Paypalobjects using a script pretending to be an image "pixel" (and apparently having this planted in eBay as well) is a known issue. It seems they are not willing to do anything about this bad practice and it is a correct hit on the filter for how such a filter works.
If you want to explicitly trust "paypalobjects.com" simply add a domain exception. I don't want to do that by default in the browser because, as stated, this is a financial site where this kind of thing should be in order. I'll add this as a preconfigured exception because it seems everything on paypalobjects.com is properly XSS-hardened, and if you find something that isn't, they have a bounty program that will get you a good chunk of money if you report it to them ;)
It can be assumed all content there is safe to be loaded even if correctly hitting the XSS "unwanted behavior" in the filter; if not, it's on them (I went through the proper procedure with them to address this and got the cold shoulder - I guess their js "pixels" are more important).
Programmer - an organism that turns coffee into software.
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Thu Feb 04, 2016 7:16 pm

As part of the slated 26.0.3 release needed to fix our cookie gate to allow some "grey area" cookies, I'll also be preconfiguring the XSS filter with a few more domains that should fix:
  • Sites that embed PayPal objects (paypal.com, ebay.com, etc.)
  • The strange "double-jump" embedding employed by some Microsoft services and websites (which occurs on e.g. outlook.com/live.com)

Note: if you want to report specific XSS filter hits, the easiest (and most complete for us) way to do this is to open the browser console (Ctrl+Shift+J) and copy/paste the entry there that lists the XSS filter violation. Please paste all info listed in such a block (URL, type, unsafe content, etc.)
Programmer - an organism that turns coffee into software.
Image

Deyeno
Moongazer
Moongazer
Posts: 9
Joined: Sun Feb 02, 2014 5:00 am
Location: Jakarta

Re: Pale Moon XSS filter info thread

Postby Deyeno » Sun Feb 07, 2016 10:09 am

As per a previous request attached is the browser console when I was getting XSS Filter attack messages.

XSS Filter.txt
(82.8 KiB) Downloaded 41 times


Hope this helps.


Cheers ....

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sun Feb 07, 2016 11:05 am

It helps, but please, for the future, only list the entries that start with "XSS violation at URL:"

e.g. from this 80KB file, only the following entry is relevant:

Code: Select all

[16:59:29.249] XSS violation at URL: https://cas.jp.as.criteo.com/delivery/r/afr.php?did=56b7157d5895c4bcbed42debae044bb0&z=VrcVfgACFR8KjxMHAARZgd-DMyvtEZ3G26w1IA&u=%7C4aWt%2BHUeyIegq8tEWQ22q7uOyOtZ7bJ%2BWHFQsvS8YzA%3D%7C&c1=Joq_XkTRkfTyUKe9OsEX3Qr3LMmnXzS74QFt1Hcy523AFI_Z_q7Cb1l6mcYVLGpcVyJ6scW0j4oJ0ljqBzk6Edq1MrbYLZkvJ-GcEwq-VPDWo0kqFCltrgSlFD01q8d80cA5vAM-unyHYNPHdgCEkVcgk0MP0pNmfIxUL7PVCN6UNbdAmxSZo9_ANyVJUoJte-KMPhmgFus&ct0=https://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DCvZ02fhW3Vp-qCIemvASBs5Fw2JXNvwTwr8S-fcCNtwEQASAAYOmCgIDkDYIBF2NhLXB1Yi05MTcyNzAwNTg3MTc1MzMyyAEJqAMBqgR2T9DlWHhmkkGdezg8nklG1-NvSK-z8vGquT-0pj717nn7LnsmytMOlMwWhnJuWzA8hERl1jEMMkUx2yRDRhNWjXf-X32_zU23vPDfZqzinQErYVy9U0gtSeMtNLJEA1QeeshFHe7o9PFDto5mT2zQZXBszopGtIAG6YLzx8WjvqDdAaAGIdgHAA%26num%3D1%26sig%3DAOD64_2jn3y70HPoQdElUsNsqsuFz3gt5Q%26client%3Dca-pub-9172700587175332%26adurl%3D
Type: Event Listener
Unsafe content: frames['ifc827818654'].location.href='https://adclick.g.doubleclick.net/aclk?sa=L&ai=CvZ02fhW3Vp-qCIemvASBs5Fw2JXNvwTwr8S-fcCNtwEQASAAYOmCgIDkDYIBF2NhLXB1Yi05MTcyNzAwNTg3MTc1MzMyyAEJqAMBqgR2T9DlWHhmkkGdezg8nklG1-NvSK-z8vGquT-0pj717nn7LnsmytMOlMwWhnJuWzA8hERl1jEMMkUx2yRDRhNWjXf-X32_zU23vPDfZqzinQErYVy9U0gtSeMtNLJEA1QeeshFHe7o9PFDto5mT2zQZXBszopGtIAG6YLzx8WjvqDdAaAGIdgHAA&num=1&sig=AOD64_2jn3y70HPoQdElUsNsqsuFz3gt5Q&client=ca-pub-9172700587175332&adurl=https://static.criteo.net/empty.html'
Programmer - an organism that turns coffee into software.
Image

User avatar
dark_moon
Knows the dark side
Knows the dark side
Posts: 3413
Joined: Mon Jan 09, 2012 5:34 pm
Location: Germany

Re: Pale Moon XSS filter info thread

Postby dark_moon » Fri Feb 12, 2016 11:43 pm

Today i use the Microsoft Bing translator (http://www.bing.com/translator?FORM=HDRSC7) and for any site, even with http://www.palemoon.org i get an XSS info.
Directlink: http://www.microsofttranslator.com/bv.a ... oon.org%2F

Is this realy a XSS match?
Happy Pale Moon x64, Fossa Mail x64 under Win7 x64 and Pale Moon for Android 7.1.1 (LineageOS 14.1) ARM64 User
German translator for Pale Moon 15+ and Pale Moon Commander addon

HowTo create a new Pale Moon Profile & use the Safe Mode
My GPG Key: 0x01EAFE95

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sat Feb 13, 2016 1:34 am

Note: if you want to report specific XSS filter hits, the easiest (and most complete for us) way to do this is to open the browser console (Ctrl+Shift+J) and copy/paste the entry there that lists the XSS filter violation. Please paste all info listed in such a block (URL, type, unsafe content, etc.)
Programmer - an organism that turns coffee into software.
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 18011
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Pale Moon XSS filter info thread

Postby Moonchild » Sat Feb 13, 2016 1:51 am

Microsoft translator loads a modified version of the site you translated that includes an injected base tag and an injected javascript section before the actual page content. This looks fine in this case but considering the URL to load the frame is directly echoed in the resulting loaded document it is a positive match for the XSS filter.

This likely falls into the same category as googleusercontent -- I've sent the Microsoft team a note that they are forgetting to set their X-Xss-Protection: header on the translator. Since they use a cluster of raw IPs, there's no way to whitelist the involved domains.
Programmer - an organism that turns coffee into software.
Image

jrfnl
New to the forum
New to the forum
Posts: 1
Joined: Wed Feb 17, 2016 12:31 am

Re: Pale Moon XSS filter info thread

Postby jrfnl » Wed Feb 17, 2016 12:37 am

Hi,

Could someone explain to me why the following code triggers the XSS / Base Element filter ? Been trying to figure it out, but so far no luck. Could this be a false positive ?

Code: Select all

<a aria-label="Follow &#34;jrfnl on GitHub" data-style="mega" href="https://github.com/jrfnl" class="github-button">Follow @jrfnl</a>

yetanother1
New to the forum
New to the forum
Posts: 1
Joined: Fri Feb 19, 2016 3:40 pm

Re: Pale Moon XSS filter info thread

Postby yetanother1 » Fri Feb 19, 2016 3:54 pm

I am consistently getting false positives when I attempt to make a Visa or Mastercard purchase on the UK site www.screwfix.com which is a large UK trade/DIY company. I cannot send detailed information yet as I only just discovered this forum and obviously can only test it when I attempt a purchase. The site attempts to open Flash and probably some javascript on the authentication page. I only use this site occasionally and have not yet had problems with cards on other UK sites, but it is early days.
I would like to see an option directly on the XSS warning that allows me to temporarily ignore and retry.

User avatar
RobRoy1947
Newbie
Newbie
Posts: 6
Joined: Tue May 20, 2014 10:39 pm
Location: Republic of Texas

Re: Pale Moon XSS filter info thread

Postby RobRoy1947 » Sat Feb 20, 2016 5:44 pm

I am consistently getting 95% false positives on the Ixquick search engine using image searches. I've been using the Ixquick search engine exclusively for 16 years without XSS or any other issues. I have disabled the XXS filter.

Rob
_


Return to “Development (discussion)”

Who is online

Users browsing this forum: No registered users and 2 guests