Pale Moon XSS filter info thread

[dark_moon]

I am consistently getting 95% false positives on the Ixquick search engine using image searches. I've been using the Ixquick search engine exclusively for 16 years without XSS or any other issues. I have disabled the XXS filter.

You better add then the site to whitelist, instead of disable the whole XSS because of security.

[RobRoy1947]

I am consistently getting 95% false positives on the Ixquick search engine using image searches. I've been using the Ixquick search engine exclusively for 16 years without XSS or any other issues. I have disabled the XXS filter.

You better add then the site to whitelist, instead of disable the whole XSS because of security.

Thank you for replying. I switched to Pale Moon long ago as my default browser and have recommended and installed it on many of my friends, acquaints and colleagues computers. I recommend Pale Moon hands down over any other browser. I also recommend that they leave the new XXS filter enabled and only disable it at their own risk.

By the time I disabled XXS I would have had to add over 130 websites to the whitelist. Since I started around 1976-78 writing code and building computers I have never had an XXS issue. I'm not meaning to imply that it will not happen. I put computer security as the top most priority in my computing habits along with weekly full system backups, daily differential backups and frequent virus and malware scans.

Large amounts of false positives is not security in my humble opinion.

Thank you for all your hard work and attention to detail in bringing Pale Moon to the world!

Rob
_

[dark_moon]

At normal websites you didn't get XSS warnings, so it would be nice if you post all the sites you get these.
Then we can look if these are realy false positiv or real match.

Did you use NoScript?

[RobRoy1947]

At normal websites you didn't get XSS warnings, so it would be nice if you post all the sites you get these.
Then we can look if these are realy false positiv or real match.

Did you use NoScript?

The only XXS warnings I have encountered are with and only with Ixquick's https://classic.ixquick.com/ image search feature, none yet on any other "normal websites". Do an image search for example of George Washington on https://classic.ixquick.com/ and start counting the hits as you open each result. My present theory is that it is only happens on Ixquick's image search do to it's unique way of displaying image results which I find superior to any other image search using the masses search engines.

No I did not use NoScript.

Rob
_

[ron_1]

I also get many (actually, it seems like every time) XSS warnings from Ixquick image searches.

[[Gort]]

I can also confirm this with the latest PM. Each time you select an image, it'll take you to a page where you'll also be greeted with an XSS warning. First time, though, in two weeks of usage that I've noticed this on a site.

[dark_moon]

Then we need to wait for a post from Moonchild or Riccardo if this is a false positiv or bad webdesign.

[RobRoy1947]

Then we need to wait for a post from Moonchild or Riccardo if this is a false positiv or bad web design.

re: "or bad web design"

How much experience and how long have you used the Ixquick search engine (The world's most private search engine)?

Rob
_

[dark_moon]

Off-topic:

How much experience and how long have you used the Ixquick search engine (The world's most private search engine)?

Only a few months. Then i found DuckDuckGo.

[LimboSlam]

Just doing my regular browsing when I got this specific XSS attack here: http://www.usatoday.com/story/tech/2016 ... /81140170/. It says, "Type: External Script," and the unsafe content is "https://w.soundcloud.com/player/api.js," though what I'm wondering is if I should add an exception as don't visit sound cloud and usatoday.

Anyways, here's the report:

XSS.txt

[Moonchild]

Looks like embedly is still not 'with the program" in that they have to indicate that they are embedding things.

Code: Select all

[21:32:29.912] XSS violation at URL: http://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fw.soundcloud.com%2Fplayer%2F%3Fvisual%3Dtrue%26url%3Dhttp%253A%252F%252Fapi.soundcloud.com%252Ftracks%252F249655972%26show_artwork%3Dtrue&url=https%3A%2F%2Fsoundcloud.com%2Fjefferson-graham%2Fmeet-the-new-smaller-iphone&image=http%3A%2F%2Fa1.sndcdn.com%2Fimages%2Ffb_placeholder.png%3F1456436209&key=205dfc3e29a54717b61d110ab0ac5a3d&type=text%2Fhtml&schema=soundcloud
Type: External Script
Unsafe content: https://w.soundcloud.com/player/api.js

I'll add "embedly.com" to the security.xssfilter.srcwhitelist in the next release in addition to embed.ly already there. I already told them the cause and the reason and what they should do to prevent these errors but I guess they haven't been listening or didn't get the memo or something.

[Burning Sun]

How much experience and how long have you used the Ixquick search engine (The world's most private search engine)?

_

I started using Ixquick back when they still replied to suggestions, maybe 7 years ago. They are now merged into Startpage (which as you know scrapes google search results).

But they still have https://www.ixquick.eu/ as it used to be. I'm not quite sure how that makes sense. EU laws?

Btw, here's an oddity about the XSS filter: open any page such as at this forum. Next, open another tab for an Ixquick image and get the XSS warning. Then use an extension such as Bar Tab Heavy to unload that Ixquick tab. Within a few seconds, I get the same XSS warning displayed on the forum page's tab. That includes the alert for "show content" having the same url.

[megaman]

Upon trying to save a document in OneDrive I get this message:

External Script
https://js.live.net/v5.0/wl.skydrivepicker.js

Open or start a new document, type in something, then Save As.

[LegitimateGrapes]

I am really tired of getting blocked while trying to read Google News. So glad I know how to disable it now.

[Moonchild]

The filter works well save for a few sites that do things oddly - it's been proven fast and efficient at its job, and using the white lists available you have full and fine-grained control over where the filter is active. It has a few known oddities (specifically for the display of XSS warnings) but the core of it works exactly as-intended. No it's not perfect -- we know this

it's important to know that v27 needs a re-write of this code but that will need the original author of this code to make time to help adapt the code (it's a rather complex piece of work). That won't happen any time soon and we're simply not going to use it as-is in Tycho. So initially, v27 won't have this filter, but we'll be looking into our options.

[superA]

..but we'll be looking into our options.

Which are..?

[Moonchild]

..but we'll be looking into our options.

Which are..?

...obvious.

[msitekkie]

I am also getting the XSS filter prompt when trying to make Mastercard payments on screwfix.com. I notice someone did report this back in February, but thought I would post again as it's still an issue and also to add that I was using Quidco to track cashback, in case that might be a factor.