Youtube trying xss attacks?

7 risposte [Ultimo contenuto]
GNUser
Offline
Iscritto: 07/17/2013

Hello.
I have noticed that for the last few days NoScript has been giving me a warning saying "NoScript filtered a potential cross-site scripting (XSS) attempt from [https://www.youtube.com]. Technical details have been logged to the console."

Is anyone noticing the same? It has happened to me in both Tor Browser and regular firefox browser. Could youtube be trying something? Or maybe it's just an error on NoSript?

trisq

I am a member!

Offline
Iscritto: 09/03/2013

I've gotten that too. I have no idea what it means though.

islander
Offline
Iscritto: 05/27/2013

Could be a Google glitch - this article explains: 'Cross Site Scripting (XSS) Attacks: Methodology and Prevention'
https://www.golemtechnologies.com/articles/prevent-xss

Darksoul71
Offline
Iscritto: 01/04/2012

Sounds like a false positive to me ! Firefox under Xubuntu also reports this.

The corresponding elements have this URL:
https://apis.google.com/_/scs/apps-static/_.....

lembas
Offline
Iscritto: 05/13/2010

Giorgio (NoScript developer) is aware of this

http://forums.informaction.com/viewtopic.php?f=7&t=17069

fbit

I am a member!

Offline
Iscritto: 07/07/2013

On the same subject, I have been unable to stream youtube videos since installing firegloves (an extension that makes your browser appear less unique to prevent fingerprinting based tracking). When trying to play a video, all I get is a "static looking" screen with the NaN in the center. This happens both with html5 and with gnash. As soon as I disable firegloves, the videos play again. Any thoughts?

G4JC
Offline
Iscritto: 03/11/2012

I've also had that happen; I presume YouTube requires some information dumped before playing videos and if it doesn't get it they freak out. You may want to try "Blender" firefox addon; it's not quite as good as firegloves but keeps some of the information hidden and YouTube still works with gnash. They also require cookies after about two videos so you'll need to enable them for session and delete them when done.

Alternatively just use youtube-dl/minitube.

fbit

I am a member!

Offline
Iscritto: 07/07/2013

Thanks for the advise. I use youtube-dl, especially for videos that I plan on playing again.

The big problem trying to evade tracking is that the business models of these companies depend on it. You don't realize its pervasiveness until you try to avoid it. I will take a look at blender. Firegloves is very good...I don't know if anyone has picked off where the initial developers left off. It would be nice to have an option to whitelist certain websites, for example.

I would rather not enable any cookie from google :)