Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How do I unblock sites that are falsely listed as a suspected XSS attack?

  • 9 cavab
  • 1 has this problem
  • 1 view
  • Last reply by Marc7

more options

I have recently had an issue in which I went over to Amazon, only to have firefox claim that there was an attempt at a cross site scripting ("XSS") attack. I normally just set these to be blocked, as I usually find it better to err on the side of caution when I see that popup. However, this appears to be a false positive, as now I cannot use Amazon's 'look inside' feature when I use the site. As this supposed XSS warning was the only thing that recently cropped up, I have to assume that this is why this piece of Amazon's website isn't functioning properly. How do I check on what I have blocked and how do I unblock anything that has since been discovered to be a false positive?

I have recently had an issue in which I went over to Amazon, only to have firefox claim that there was an attempt at a cross site scripting ("XSS") attack. I normally just set these to be blocked, as I usually find it better to err on the side of caution when I see that popup. However, this appears to be a false positive, as now I cannot use Amazon's 'look inside' feature when I use the site. As this supposed XSS warning was the only thing that recently cropped up, I have to assume that this is why this piece of Amazon's website isn't functioning properly. How do I check on what I have blocked and how do I unblock anything that has since been discovered to be a false positive?

All Replies (9)

more options

Is this a warning from the NoScript extension? I can't think of any other feature that gives an XSS warning.

more options

I believe so, yes. Is that relevant?

more options

Very relevant! Click the NoScript S button on the toolbar, then toward the left side of the panel, the icon with the wrench to open settings. Then click the Advanced panel. XSS blocks are listed there. I didn't experiment with deleting anything, but hopefully it's simple.

more options

Uhm....I'm not seeing a wrench. Unless you mean the thing marked options?

more options

Ok, so I clicked on options, and....I don't see anything I can delete. I'm seeing basically a selection of tabs, none of which looks like it has any reference to the false positive on the XSS warning. I'm including a screenshot of what I see when I open it.

Modified by Marc7

more options

Hmm, mine has a list (screenshot attached). Not sure why they are different. Maybe check on their site?

https://forums.informaction.com/viewforum.php?f=3

more options

jscher2000 said

Hmm, mine has a list (screenshot attached). Not sure why they are different. Maybe check on their site? https://forums.informaction.com/viewforum.php?f=3

That was the first thing I did, with no luck finding anything. I also noticed that, much like this page, Noscript lists it as a 'privileged' page whose permissions can't be configured. Which I imagine might be why I'm not seeing what you are. How did you even get that list to come up? Mine has the XSS thing listed as having a checkmark on the sanitize option, while that other box is unchecked.

more options

I turned off XSS protection because I found it annoying. I'm not sure why mine shows a list and yours doesn't. Is it possible you chose to allow/block but did not choose to always allow/block? In that case, it wouldn't be saved and you would get asked every time.

more options

....Huh. You know, that could be it. I just told it to block, not to always allow/block, I think. If your theory is right, that explains at least some of it. That means that adblock might be having some issues over there that required different stuff be set to temporarily allow instead of what I'm used to doing to get everything running as usual. That at least seems to be a working theory anyway. I'll poke around a bit more, see if I can find anything and get back to you on this in a day or two. But I think you could be right.