Cross-site scripting attack concern warning
When I middle-click on the unreleased chapter for Tearmoon Empire (Manga) ch3, I get presented with this warning from my noscript extension:
NoScript XSS Warning
NoScript detected a potential Cross-Site Scripting attack
(URL) https://js.stripe.com/v3/m-outer-6262077c14f753400d607dc30e70f1af.html#url=https://j-novel.club/series/tearmoon-empire-manga#volume-1&title=Tearmoon Empire (Manga) (Manga) | J-Novel Club&referrer=https://j-novel.club/calendar?restrict=followed&muid=43ba83ff-c9e8-4442-907a-0851557ba77a0ba494&sid=547305ea-c96b-4f75-a062-66fc374342d4ac4d1c&version=6&preview=false
I'm not sure there's anything to worry about, but this shouldn't happen at least.
Actually it happens when I refresh the https://j-novel.club/series/tearmoon-empire-manga#volume-1 page. I don't own it BTW.
@Prometheus0000 this is nothing serious, it's just Stripe code that deals with fraud detection. We inherently trust Stripe's code running on our site in order to operate, so any potential XSS attacks can be disregarded.
@chocolatkey That's what I figured, but that doesn't mean that the warning should be showing up, since it doesn't normally. Presumably there's something in the site coded wrong, or it wouldn't show up.
To elaborate a bit on why NoScript is worried, I think that based on the message from your plugin, NoScript thinks, most likely due to the URL query parameters in
https://js.stripe.com/v3/m-outer-6262077c14f753400d607dc30e70f1af.html#url=https://j-novel.club/series/tearmoon-empire-manga#volume-1&title=Tearmoon Empire (Manga) (Manga) | J-Novel Club&referrer=https://j-novel.club/calendar?restrict=followed&muid=43ba83ff-c9e8-4442-907a-0851557ba77a0ba494&sid=547305ea-c96b-4f75-a062-66fc374342d4ac4d1c&version=6&preview=false, that we are injecting untrusted code of our own into Stripe's payment frame. This is not true, and if it were it would be a colossal failure on Stripe's end. NoScript's heuristics are producing a false-positive
It looks like Roll20 produces a similar warning: https://www.reddit.com/r/Roll20/comments/hj08nd/stripecom_crosssite_scripting_attack - seems like it's just NoScript not having a proper whitelist for legitimate cross site scripting use cases.
The only thing I wonder is if there is a setting in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy which could tell NoScript that the behaviour is acceptable. It might need to be at the Stripe end though which is beyond JNC's control.