You are on the cloned forums!
Cross-site scripting attack concern warning
-
When I middle-click on the unreleased chapter for Tearmoon Empire (Manga) ch3, I get presented with this warning from my noscript extension:
NoScript XSS Warning
NoScript detected a potential Cross-Site Scripting attack
from https://j-novel.club to https://js.stripe.com.
Suspicious data:
(URL) https://js.stripe.com/v3/m-outer-6262077c14f753400d607dc30e70f1af.html#url=https://j-novel.club/series/tearmoon-empire-manga#volume-1&title=Tearmoon Empire (Manga) (Manga) | J-Novel Club&referrer=https://j-novel.club/calendar?restrict=followed&muid=43ba83ff-c9e8-4442-907a-0851557ba77a0ba494&sid=547305ea-c96b-4f75-a062-66fc374342d4ac4d1c&version=6&preview=false
I'm not sure there's anything to worry about, but this shouldn't happen at least.
Actually it happens when I refresh the https://j-novel.club/series/tearmoon-empire-manga#volume-1 page. I don't own it BTW.
-
@Prometheus0000 this is nothing serious, it's just Stripe code that deals with fraud detection. We inherently trust Stripe's code running on our site in order to operate, so any potential XSS attacks can be disregarded.
-
@chocolatkey That's what I figured, but that doesn't mean that the warning should be showing up, since it doesn't normally. Presumably there's something in the site coded wrong, or it wouldn't show up.
-
@Prometheus0000 I am almost certain what you are seeing based on the logs is out of our hands, as it is due to logic in Stripe's own javascript code. I doubt that Stripe's own code has a bug this obvious, and even if it hypothetically did, it would be extremely tedious for us to alter the functions of Stripe's code. If you still believe something is amiss, we can continue this in an email to support@j-novel.club, where you can provide more screenshots and network request logs
-
To elaborate a bit on why NoScript is worried, I think that based on the message from your plugin, NoScript thinks, most likely due to the URL query parameters in
https://js.stripe.com/v3/m-outer-6262077c14f753400d607dc30e70f1af.html#url=https://j-novel.club/series/tearmoon-empire-manga#volume-1&title=Tearmoon Empire (Manga) (Manga) | J-Novel Club&referrer=https://j-novel.club/calendar?restrict=followed&muid=43ba83ff-c9e8-4442-907a-0851557ba77a0ba494&sid=547305ea-c96b-4f75-a062-66fc374342d4ac4d1c&version=6&preview=false, that we are injecting untrusted code of our own into Stripe's payment frame. This is not true, and if it were it would be a colossal failure on Stripe's end. NoScript's heuristics are producing a false-positive -
It looks like Roll20 produces a similar warning: https://www.reddit.com/r/Roll20/comments/hj08nd/stripecom_crosssite_scripting_attack - seems like it's just NoScript not having a proper whitelist for legitimate cross site scripting use cases.
The only thing I wonder is if there is a setting in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy which could tell NoScript that the behaviour is acceptable. It might need to be at the Stripe end though which is beyond JNC's control.
