XSS warning pops up in case of timeout (#31680) · Issues · Legacy / Trac

XSS warning pops up in case of timeout

I see increasingly XSS warning popups showing up because of timeouts which is highly confusing. Clearly, timeouts are not really an indication of an XSS issue. An example for how this looks like is:

NoScript detected a potential Cross-Site Scripting attack

from https://www.zeit.de to https://dx6ctphzljkf1.cloudfront.net.

Suspicious data:

Error: Exceeded 20000ms timeout,(URL) https://dx6ctphzljkf1.cloudfront.net/iqdcdnkj/0a3b52795fef0905/index.html?clicktag=http://adclick.g.doubleclick.net/pcs/click%3Fxai%3DAKAOjsuHXc6Zwesb8f8FaSD7QQTqsyHbRHJNWVu3QNltNDaJ94NGlNH6WfODjTA6sloDprbdd1rxSjqWKdGOSolznaWuiKCcayJ4DmNlCF5OkavZ_eGS0Xkfao5UQJ-JwqhV_gAR_7tfsnUfu60yvzJ0iU4Z1D6Zkb6sjCl0_HQA22VBLWn-QSPhAgfMV614r-HBeMGma_lSkoiCPSy0kyKnCRL5tUnv1UmFqhpDBN4tMevUa2rZkJz6uo8knPiePTPGjelmuicueasP3g%26sai%3DAMfl-YR4Mk3FY_qymLNh3MZw4TEqprFJmYFBo9_kQIEByETK8t21mR91HHtY12pZU52d0EITutWjovVnNx6CvX-biT_ug2TurDhIiyL2djhlow%26sig%3DCg0ArKJSzIDezji-X-DkEAE%26urlfix%3D1%26adurl%3Dhttp://marktplatz.zeit.de/urlaubsziele/themen/lesenswertes/&

NoScript detected a potential Cross-Site Scripting attack

from https://www.zeit.de to https://s3.eu-central-1.amazonaws.com.

Suspicious data:

Error: Exceeded 20000ms timeout,(URL) https://s3.eu-central-1.amazonaws.com/iqdcdnea/10e4b7649324fb09/index.html?clicktag=https://adclick.g.doubleclick.net/pcs/click%3Fxai%3DAKAOjssAkvqdVAj8OVky5YyBIxfFhdSKOwG3PBSs1sGLVOkrTAbbR2gQhodz_fXydReP-sWxzXELTfAuQkQKvcolwGDPsya5J4nL-viX8VzJakyNC5yyVB4zTY8PRSHU_uCuiDOkZfyU6r6ldJAmjPb3o9AJI1JjbB2B6BwWdGEXimu89rpjgP9_7QWQve3pDYoPSYGZtAGvE2nIak17XVJyFo6fpatdx-JftpL6BZ3We12XcmWv8xi1WzanqCJH7xQaQImIkf2k5dsgSg%26sai%3DAMfl-YQQpqd7WwCqfy7nh3BpC3v5iOX8vRNIaR7zenwjOphvOa6S79W9pR_h16Vw99tViBvXlyo0AyCzyKJf9xzvxc43C-iGZHR6IQYihbL1eQ%26sig%3DCg0ArKJSzKFyrN2JPsBaEAE%26urlfix%3D1%26adurl%3Dhttps://jobs.zeit.de/campus/berufstest%3Fwt_zmc%3Ddis.int.zonpmr.hausbanner.boa-default.bot.wp.quan.x%26utm_medium%3Ddis%26utm_source%3Dhausbanner_zonpmr_int%26utm_campaign%3Dboa-default%26utm_content%3Dbot_wp_quan_x&iqdurl=https://www.zeit.de&iqdcid=138255462209&

That does not involve doing anything special just reading news with an 9.0a6-ish Tor Browser.

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information