What regular expression should I use to allow Runnable Snippet tags through NoScript Anti-XSS Protection?

2

1

I am running NoScript in Firefox and every time I try to use a Runnable Snippet, NoScript asks me whether I want to allow the potential cross site script to execute. I can provide a regular expression to bypass the notification, but I want to make sure that it is as targeted as possible so that actual XSS attacks don't get through (not that Stack Exchange would ever have one of those).

I tried:

^https?://stackexchange\.com/questions/.*$

But I still get the exception. Should I be targeting http://stacksnippets.net instead?

I also tried:

^https?://stacksnippets\.net.*$

Which works, but is that the most targeted RegEx I can make?

zero298

Posted 2015-02-18T20:26:01.477

Reputation: 137

Answers

2

Might be a bit paranoid, but I would add the requirement that after the .net no letter or dot is allowed for the first character. If there is a top-level domain .netmal or .net.au (like there is .com.au), someone could go out and register stacksnippets.netmal/stacksnippets.net.au and run their malware there.

So something like:

^https?://stacksnippets\.net([/?].*)?$

This would require a / or ? right after the base url, ensuring that the domain really is stacksnippets.net and nothing else.

funkwurm

Posted 2015-02-18T20:26:01.477

Reputation: 146

Yeah, I like that a lot better than what I originally had. Didn't even think to consider newer top-level domains. – zero298 – 2015-02-20T15:47:12.873

Asked: 2015-02-18T20:26:01.477

Viewed: 233 times

Active: 2015-02-19T13:24:15.973