Recientemente intenté iniciar sesión en mi cuenta de correo de Yahoo con Firefox ESR donde NoScript me mostró esta advertencia cuando se mostró el captcha en el inicio de sesión:
NoScript filtró un posible intento de secuencias de comandos entre sitios (XSS) desde [https.login.yahoo.net]. Los detalles técnicos se han registrado en la consola.
NoScript también abrió una ventana sobre "clickjacking / UI correccionando" en el captcha. Iirc sin desbloquear el botón 'Verificar' no se puede hacer clic y totalmente visible. También obtengo una ventana sobre esto para otros Captchas de Google, como en los sitios de intercambio de pila.
No obtuve la advertencia XSS en los inicios de sesión anteriores, excepto por una o dos excepciones.
La URL básicamente tenía este aspecto: https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password
Aquí está el contenido copiado y pegado de la consola (pastebin.com/e9BgXheC):
Hey developer! Want to see more verbose logging? util.js:14:1
Type this into the console: DEFAULT_LOG_LEVEL=VERB util.js:15:1
Accepted levels are VERB, DBUG, INFO, NOTE and WARN, default is NOTE util.js:16:1
NoScript WebExt Ready noscript.js:43:1
NoScript preferences backed on the WebExtension side legacy.js:17:9
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
about:blank : Unable to run script because scripts are blocked internally. (unknown)
about:blank : Unable to run script because scripts are blocked internally. (unknown)
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
about:blank : Unable to run script because scripts are blocked internally. (unknown)
about:blank : Unable to run script because scripts are blocked internally. (unknown)
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
downloadable font: download failed (font-family: "Open Sans" style:normal weight:normal stretch:normal src index:0): content blocked source: https://developer.cdn.mozilla.net/static/fonts/OpenSans-Regular-webfont.3f642fa3ea74.woff2 mdn.340edd757ddc.css:4:22660
downloadable font: download failed (font-family: "Open Sans" style:normal weight:normal stretch:normal src index:1): content blocked source: https://developer.cdn.mozilla.net/static/fonts/OpenSans-Regular-webfont.ac327c4db628.woff mdn.340edd757ddc.css:4:22660
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:1): content blocked source: https://developer.cdn.mozilla.net/static/styles/libs/font-awesome/fonts/fontawesome-webfont.fdf491ce5ff5.woff?v=4.1.0 mdn.340edd757ddc.css:4:279
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:2): content blocked source: https://developer.cdn.mozilla.net/static/styles/libs/font-awesome/fonts/fontawesome-webfont.4f0022f25672.ttf?v=4.1.0 mdn.340edd757ddc.css:4:279
downloadable font: download failed (font-family: "Open Sans" style:normal weight:bold stretch:normal src index:0): content blocked source: https://developer.cdn.mozilla.net/static/fonts/OpenSans-Semibold-webfont.b25e8a5a61a4.woff2 mdn.340edd757ddc.css:4:22889
downloadable font: download failed (font-family: "Open Sans" style:normal weight:bold stretch:normal src index:1): content blocked source: https://developer.cdn.mozilla.net/static/fonts/OpenSans-Semibold-webfont.56bfcae65300.woff mdn.340edd757ddc.css:4:22889
downloadable font: download failed (font-family: "zillaslab" style:normal weight:bold stretch:normal src index:0): content blocked source: https://developer.cdn.mozilla.net/static/fonts/locales/ZillaSlab-Bold.8d7f01331d2b.woff2 locale-en-US.7e45c23d7d30.css:1:240
downloadable font: download failed (font-family: "zillaslab" style:normal weight:bold stretch:normal src index:1): content blocked source: https://developer.cdn.mozilla.net/static/fonts/locales/ZillaSlab-Bold.be1d6507cb98.woff locale-en-US.7e45c23d7d30.css:1:240
downloadable font: download failed (font-family: "Open Sans" style:italic weight:normal stretch:normal src index:0): content blocked source: https://developer.cdn.mozilla.net/static/fonts/OpenSans-Italic-webfont.47c24d65c5a6.woff2 mdn.340edd757ddc.css:4:23120
downloadable font: download failed (font-family: "Open Sans" style:italic weight:normal stretch:normal src index:1): content blocked source: https://developer.cdn.mozilla.net/static/fonts/OpenSans-Italic-webfont.525074686dfb.woff mdn.340edd757ddc.css:4:23120
downloadable font: download failed (font-family: "zillaslab" style:normal weight:normal stretch:normal src index:0): content blocked source: https://developer.cdn.mozilla.net/static/fonts/locales/ZillaSlab-Regular.f9de6143fdfa.woff2 locale-en-US.7e45c23d7d30.css:1:11
downloadable font: download failed (font-family: "zillaslab" style:normal weight:normal stretch:normal src index:1): content blocked source: https://developer.cdn.mozilla.net/static/fonts/locales/ZillaSlab-Regular.f7120c75de27.woff locale-en-US.7e45c23d7d30.css:1:11
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
downloadable font: download failed (font-family: "Raleway" style:normal weight:normal stretch:normal src index:2): content blocked source: https://fonts.gstatic.com/s/raleway/v11/IczWvq5y_Cwwv_rBjOtT0w.woff css:1:12
downloadable font: download failed (font-family: "Raleway" style:normal weight:800 stretch:normal src index:2): content blocked source: https://fonts.gstatic.com/s/raleway/v11/1ImRNPx4870-D9a1EBUdPBsxEYwM7FgeyaSgU71cLG0.woff css:13:12
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:1): content blocked source: https://www.whatismyip.net/assets/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0 font-awesome.min.css:4:14
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:2): content blocked source: https://www.whatismyip.net/assets/font-awesome/fonts/fontawesome-webfont.woff?v=4.7.0 font-awesome.min.css:4:14
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:3): content blocked source: https://www.whatismyip.net/assets/font-awesome/fonts/fontawesome-webfont.ttf?v=4.7.0 font-awesome.min.css:4:14
downloadable font: download failed (font-family: "Raleway" style:normal weight:600 stretch:normal src index:2): content blocked source: https://fonts.gstatic.com/s/raleway/v11/xkvoNo9fC8O2RDydKj12bxsxEYwM7FgeyaSgU71cLG0.woff css:7:12
downloadable font: download failed (font-family: "Glyphicons Halflings" style:normal weight:normal stretch:normal src index:1): content blocked source: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/glyphicons-halflings-regular.woff2 bootstrap.min.css:5:3022
downloadable font: download failed (font-family: "Glyphicons Halflings" style:normal weight:normal stretch:normal src index:2): content blocked source: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/glyphicons-halflings-regular.woff bootstrap.min.css:5:3022
downloadable font: download failed (font-family: "Glyphicons Halflings" style:normal weight:normal stretch:normal src index:3): content blocked source: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/glyphicons-halflings-regular.ttf bootstrap.min.css:5:3022
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
about:blank : Unable to run script because scripts are blocked internally. (unknown)
about:blank : Unable to run script because scripts are blocked internally. (unknown)
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
[NoScript ClearClick] Swallowed event mousedown on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[NoScript ClearClick] Swallowed event mouseup on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[NoScript ClearClick] Swallowed event click on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
Warning: ‘nsIOService::NewChannel()’ deprecated, please use ‘nsIOService::NewChannel2()’ DMS.js:1397:14
No chrome package registered for chrome://dta-modules/content/support/filtermanager.js
Warning: ‘nsIOService::NewChannel()’ deprecated, please use ‘nsIOService::NewChannel2()’ DMS.js:1401:14
Warning: ‘nsIOService::NewChannel()’ deprecated, please use ‘nsIOService::NewChannel2()’ DMS.js:1397:14
No chrome package registered for chrome://dta-modules/content/support/filtermanager.js
Warning: ‘nsIOService::NewChannel()’ deprecated, please use ‘nsIOService::NewChannel2()’ DMS.js:1401:14
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
about:blank : Unable to run script because scripts are blocked internally. (unknown)
about:blank : Unable to run script because scripts are blocked internally. (unknown)
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:82:12
XML Parsing Error: no root element found
Location: https://e.reddit.com/v1?key=RedditFrontend1&mac=amacid
Line Number 1, Column 1: v1:1:1
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
[NoScript ClearClick] Swallowed event mousedown on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[NoScript ClearClick] Swallowed event mouseup on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[NoScript ClearClick] Swallowed event click on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[ABE WAN] Trying to detect WAN IP...
[ABE WAN] Detected WAN IP ip
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
Sync encountered an error - see about:sync-log for the log file. policies.js:729
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
[ABE WAN] Trying to detect WAN IP...
[ABE WAN] WAN IP not detected!
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
NoScript preferences backed on the WebExtension side legacy.js:17:9
[ABE WAN] Trying to detect WAN IP...
[ABE WAN] WAN IP not detected!
NoScript preferences backed on the WebExtension side legacy.js:17:9
number addons.repository WARN Search failed when repopulating cache
update.locale file doesn't exist in either the application or GRE directories UpdateUtils.jsm:148
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.update-checker WARN HTTP Request failed for an unknown reason
number addons.productaddons WARN Failed downloading XML, status: 0, reason: error
number addons.productaddons WARN Failed downloading XML, status: 0, reason: error
NoScript preferences backed on the WebExtension side legacy.js:17:9
“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2 cookietracker.js:126:12
“nsICookieManager.remove()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager main.js:613:6
[NoScript ClearClick] Swallowed event mousedown on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[NoScript ClearClick] Swallowed event mouseup on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
[NoScript ClearClick] Swallowed event click on https://login.yahoo.com/account/challenge/recaptcha?.src=fp&authMechanism=primary&display=login&yid=name&dname=name&done=https%3A%2F%2Fmail.yahoo.com%2F&crumb=id1&acrumb=id2&s=QQ--&c=verylongid&e=true&pcn=password (rapid fire from https://www.google.com in 400ms)
Me parece interesante que parece consultar reddit.
Estoy usando el complemento HTTPS Everywhere (por supuesto) y también tuve instalado Reddit Enhancement Suite. Pero obtuve el mismo error al deshabilitar ese complemento.
También me pregunto qué significan las líneas "[ABE WAN] que intentan detectar WAN IP".
Y aquí hay una pasta relacionada: enlace
Mi pregunta es: ¿fue esto un intento real de XSS o un falso positivo? De cualquier manera: ¿por qué recibí este error y hay más personas que lo están recibiendo?