You better add then the site to whitelist, instead of disable the whole XSS because of security.RobRoy1947 wrote:I am consistently getting 95% false positives on the Ixquick search engine using image searches. I've been using the Ixquick search engine exclusively for 16 years without XSS or any other issues. I have disabled the XXS filter.
Pale Moon XSS filter info thread
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Re: Pale Moon XSS filter info thread
-
- Newbie
- Posts: 6
- Joined: 2014-05-20, 22:39
- Location: Republic of Texas
Re: Pale Moon XSS filter info thread
Thank you for replying. I switched to Pale Moon long ago as my default browser and have recommended and installed it on many of my friends, acquaints and colleagues computers. I recommend Pale Moon hands down over any other browser. I also recommend that they leave the new XXS filter enabled and only disable it at their own risk.dark_moon wrote:You better add then the site to whitelist, instead of disable the whole XSS because of security.RobRoy1947 wrote:I am consistently getting 95% false positives on the Ixquick search engine using image searches. I've been using the Ixquick search engine exclusively for 16 years without XSS or any other issues. I have disabled the XXS filter.
By the time I disabled XXS I would have had to add over 130 websites to the whitelist. Since I started around 1976-78 writing code and building computers I have never had an XXS issue. I'm not meaning to imply that it will not happen. I put computer security as the top most priority in my computing habits along with weekly full system backups, daily differential backups and frequent virus and malware scans.
Large amounts of false positives is not security in my humble opinion.
Thank you for all your hard work and attention to detail in bringing Pale Moon to the world!
Rob
_
Re: Pale Moon XSS filter info thread
At normal websites you didn't get XSS warnings, so it would be nice if you post all the sites you get these.
Then we can look if these are realy false positiv or real match.
Did you use NoScript?
Then we can look if these are realy false positiv or real match.
Did you use NoScript?
-
- Newbie
- Posts: 6
- Joined: 2014-05-20, 22:39
- Location: Republic of Texas
Re: Pale Moon XSS filter info thread
The only XXS warnings I have encountered are with and only with Ixquick's https://classic.ixquick.com/ image search feature, none yet on any other "normal websites". Do an image search for example of George Washington on https://classic.ixquick.com/ and start counting the hits as you open each result. My present theory is that it is only happens on Ixquick's image search do to it's unique way of displaying image results which I find superior to any other image search using the masses search engines.dark_moon wrote:At normal websites you didn't get XSS warnings, so it would be nice if you post all the sites you get these.
Then we can look if these are realy false positiv or real match.
Did you use NoScript?
No I did not use NoScript.
Rob
_
-
- Moon Magic practitioner
- Posts: 2860
- Joined: 2012-06-28, 01:20
Re: Pale Moon XSS filter info thread
I also get many (actually, it seems like every time) XSS warnings from Ixquick image searches.
Re: Pale Moon XSS filter info thread
I can also confirm this with the latest PM. Each time you select an image, it'll take you to a page where you'll also be greeted with an XSS warning. First time, though, in two weeks of usage that I've noticed this on a site.
Re: Pale Moon XSS filter info thread
Then we need to wait for a post from Moonchild or Riccardo if this is a false positiv or bad webdesign.
-
- Newbie
- Posts: 6
- Joined: 2014-05-20, 22:39
- Location: Republic of Texas
Re: Pale Moon XSS filter info thread
re: "or bad web design"dark_moon wrote:Then we need to wait for a post from Moonchild or Riccardo if this is a false positiv or bad web design.
How much experience and how long have you used the Ixquick search engine (The world's most private search engine)?
Rob
_
Re: Pale Moon XSS filter info thread
Off-topic:
Only a few months. Then i found DuckDuckGo.RobRoy1947 wrote:How much experience and how long have you used the Ixquick search engine (The world's most private search engine)?
-
- Board Warrior
- Posts: 1029
- Joined: 2014-06-09, 04:43
- Location: USA
Re: Pale Moon XSS filter info thread
Just doing my regular browsing when I got this specific XSS attack here: http://www.usatoday.com/story/tech/2016 ... /81140170/. It says, "Type: External Script," and the unsafe content is "https://w.soundcloud.com/player/api.js," though what I'm wondering is if I should add an exception as don't visit sound cloud and usatoday.
Anyways, here's the report:
Anyways, here's the report:
You do not have the required permissions to view the files attached to this post.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away!
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
-
- Pale Moon guru
- Posts: 35644
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Pale Moon XSS filter info thread
Looks like embedly is still not 'with the program" in that they have to indicate that they are embedding things.
I'll add "embedly.com" to the security.xssfilter.srcwhitelist in the next release in addition to embed.ly already there. I already told them the cause and the reason and what they should do to prevent these errors but I guess they haven't been listening or didn't get the memo or something.
Code: Select all
[21:32:29.912] XSS violation at URL: http://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fw.soundcloud.com%2Fplayer%2F%3Fvisual%3Dtrue%26url%3Dhttp%253A%252F%252Fapi.soundcloud.com%252Ftracks%252F249655972%26show_artwork%3Dtrue&url=https%3A%2F%2Fsoundcloud.com%2Fjefferson-graham%2Fmeet-the-new-smaller-iphone&image=http%3A%2F%2Fa1.sndcdn.com%2Fimages%2Ffb_placeholder.png%3F1456436209&key=205dfc3e29a54717b61d110ab0ac5a3d&type=text%2Fhtml&schema=soundcloud
Type: External Script
Unsafe content: https://w.soundcloud.com/player/api.js
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Pale Moon XSS filter info thread
I started using Ixquick back when they still replied to suggestions, maybe 7 years ago. They are now merged into Startpage (which as you know scrapes google search results).RobRoy1947 wrote: How much experience and how long have you used the Ixquick search engine (The world's most private search engine)?
_
But they still have https://www.ixquick.eu/ as it used to be. I'm not quite sure how that makes sense. EU laws?
Btw, here's an oddity about the XSS filter: open any page such as at this forum. Next, open another tab for an Ixquick image and get the XSS warning. Then use an extension such as Bar Tab Heavy to unload that Ixquick tab. Within a few seconds, I get the same XSS warning displayed on the forum page's tab. That includes the alert for "show content" having the same url.
Re: Pale Moon XSS filter info thread
Upon trying to save a document in OneDrive I get this message:
External Script
https://js.live.net/v5.0/wl.skydrivepicker.js
Open or start a new document, type in something, then Save As.
External Script
https://js.live.net/v5.0/wl.skydrivepicker.js
Open or start a new document, type in something, then Save As.
Re: Pale Moon XSS filter info thread
I am really tired of getting blocked while trying to read Google News. So glad I know how to disable it now.
-
- Pale Moon guru
- Posts: 35644
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Pale Moon XSS filter info thread
The filter works well save for a few sites that do things oddly - it's been proven fast and efficient at its job, and using the white lists available you have full and fine-grained control over where the filter is active. It has a few known oddities (specifically for the display of XSS warnings) but the core of it works exactly as-intended. No it's not perfect -- we know this
it's important to know that v27 needs a re-write of this code but that will need the original author of this code to make time to help adapt the code (it's a rather complex piece of work). That won't happen any time soon and we're simply not going to use it as-is in Tycho. So initially, v27 won't have this filter, but we'll be looking into our options.
it's important to know that v27 needs a re-write of this code but that will need the original author of this code to make time to help adapt the code (it's a rather complex piece of work). That won't happen any time soon and we're simply not going to use it as-is in Tycho. So initially, v27 won't have this filter, but we'll be looking into our options.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Pale Moon XSS filter info thread
Which are..?Moonchild wrote:..but we'll be looking into our options.
-
- Pale Moon guru
- Posts: 35644
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Pale Moon XSS filter info thread
...obvious.superA wrote:Which are..?Moonchild wrote:..but we'll be looking into our options.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Pale Moon XSS filter info thread
I am also getting the XSS filter prompt when trying to make Mastercard payments on screwfix.com. I notice someone did report this back in February, but thought I would post again as it's still an issue and also to add that I was using Quidco to track cashback, in case that might be a factor.