Question:
Issues With XSS and Noscript on Youtube?
2013-09-17 22:01:12 UTC
Okay, so normally I just watch videos on Youtube without any popups, warnings, etc. But, today the XSS detector on my Noscript started going off with each video I watched. It should be noted that the detector doesn't tell me anything unless I scroll down twice. The alert pops up and says "NoScript filtered a potential cross-site scripting (XSS) attempt from [http://www.youtube.com]. Technical details have been logged to the Console."

I open the console log and all I get is a bunch of numbers, letters, and symbols. I can't make heads or tails of this and Google really isn't being very useful. I also can't fit all of the characters in this post, because there are far too many.

I need advice, I'm a smart guy, but this humbles me to the extent of desperation. I need advice, instructions, and I need somebody to tell me if my hardware is going to be okay.
Nine answers:
Gramis
2013-09-18 10:16:39 UTC
I am having the same problem. You are not alone.
2013-09-18 06:29:10 UTC
I'm getting this as well, exactly the way you described. Me, you, and the other answerer makes 3 people who we know have the same problem, so I'm thinking it's a site bug. Or maybe we're all infected with some weird adware that's screwing with YouTube and NoScript is blocking it. That seems very odd though, that all 3 of us just HAPPENED to get infected with the same virus at the same exact time, and I haven't done anything unusual today, so where would it have even come from? So that seems unlikely.
Albert
2013-09-18 23:22:54 UTC
Same here today. Updated Firefox from 23.0.1 to 24.0 and it possibly started then.



All the same, I'm going with DunbarPappy®ϟϟ with regards to trusting NoScript over Google. Noscript's catching something and if it's a simple bug it'll be fixed soon.
J man
2013-09-19 17:50:32 UTC
The way in which youtube has recently "optimized" their comment system is what is causing this. Youtube is safe but is falsely triggering the noscript warning. To fix it either wait for an update from noscript or go here: http://forums.informaction.com/viewtopic.php?f=7&t=17069#p59355 and look at the 3rd post from the bottom by Giorgio Maone (Guy drinking coffee). You want to look for a code similar to this:



^https://(?:plus\.googleapis|apis.google)\.com/[\w/]+/widget/render/comments\?



(Because Yahoo sucks it will not let me paste it fully)



It fixed it for me :)
2013-09-18 11:56:25 UTC
I'd trust NoScript before I'd trust anything on YouTube.

From the NS site ( http://noscript.net/faq#qa4_7

" Q: Why are Flash applets originating from trusted sites (e.g. youtube.com movies) blocked if embedded on untrusted sites?

A: Flash-based XSS can be performed by embedding a Flash object from a trusted site inside an untrusted web page. NoScript prevents this kind of attack by blocking plugins embedded on untrusted pages even if they ultimately come from trusted sites. Of course, you can still activate those objects on demand without whitelisting the embedding page, by simply clicking on the placeholder NoScript icon. At any rate, if you still prefer trusted plugin content to be allowed on untrusted page, you can toggle the noscript.forbidActiveContentParentTrustCheck about:config preference to false. "

------

(Other helpful links: http://noscript.net/faq#xss

http://noscript.net/features#contentblocking
John
2013-09-18 13:51:06 UTC
Never trust anything that Google does and since Google owns Youtube I would not put it past them to be sending in, to the NSA, what we are watching.



I am having this same issue by the way.
2013-09-19 09:59:14 UTC
never trust anything . just watch if you want but dont trust it .ww dont know whats going on that potentiel scripting and what is going to do .



i have same problem and it makes me nervous.



also i noticed that when you mouse up on the list of videos , every video you run just the mouse over it sends data and you can see pages refresh not totally but just ajax sends that you moved on that video and you didnt play it or you played it, so they know what videos are not playing by hopping over them. this i dont like it also.
farton_missles
2013-09-18 05:55:08 UTC
I'm getting the same thing. Hope someone can help!
2013-09-19 10:53:33 UTC
I'm experiencing the same thing.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...