Jump to content

(Archived) Bug? NoScript XSS warning

Recommended Posts

Go to http://news.google.co.uk

In the text box enter 'evernote news'

Highlight the text you just entered

Click the Web Clipper icon in the browser toolbar

"NoScript filtered a potential cross-site scripting (XSS) attempt from [http]."

All domains involved are whitelisted.

I tested this on several urls.

As for why I would highlight text I had just entered - comments and feedback forms usually.

Firefox 3.0.2


Evernote Version 1.1.5 (36338)

Link to comment

NoScript has known compatibility problems with Evernote. In particular, our little Javascript clipper looks like a "bad guy" to NoScript because we're taking content from your web page and then submitting it to another site. While this could theoretically be a bad thing, in your case it's doing exactly what you want to do.

We'd recommend seeing whether you can configure any exceptions for Javascript from our web site, etc.

Link to comment

You can try this to fix the Noscript bug:

1. Disable *Automatic Secure Cookie Management*, clear your cookies (at least those for the site you're trying to enter) from Firefox's *Options|Privacy|Cookies* and retry logging in. It should just work.

2. If you've got a few minutes to investigate,

- check your *Tools|Error Console* output for lines starting with "*[NoScript HTTPS] AUTOMATIC SECURE on https://www.evernote.com*";

- open *NoScript Options|Advanced|HTTPS|Cookies* and add "*.evernote.com" (without the quotes) to the *Ignore unsafe cookies...* list;

- Close *NoScript Options* with "OK", clear your cookies (at least those for evernote.com) from Firefox's *Options|Privacy|Cookies*and try to log in.

If, for instance, you can't login on http://www.ebay.com, the problem can be fixed adding **.ebay.com* to *NoScript Options|Advanced|HTTPS|Cookies|Ignore unsafe cookies...* and possibly resetting your cookies. If the problem happens on http://twitter.com(notice there's no "www." there), you'll need to put *both* *twitter.com* and **.twitter.com* to match both the top domain and the subdomains.

Link to comment

The thing is that if I want to use Evernote to catch this text then I need to add exceptions which moves away from the ease of use. I do recognise that this is a complex issue though and not easily solved.

Link to comment

We've spent a few hours trying to detect NoScript so that we can give a more helpful warning to the user, but it appears that NoScript avoids any detection by the Javascript on a page.

Link to comment
  • 8 months later...


This topic is now archived and is closed to further replies.

  • Create New...